Valerio Setti
0c8ec3983e
ssl_tls: fix proper guards for accelerated ECDH
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:48:34 +01:00
Paul Elliott
f1eb5e2a04
Merge branch 'development-restricted' into mbedtls-3.4.0rc0-pr
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-21 15:35:17 +00:00
Jan Bruckner
1a38e54436
Changes from 2nd review
...
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-15 14:15:11 +01:00
Jan Bruckner
a0589e75a0
Changes from review
...
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-15 11:04:45 +01:00
Jan Bruckner
151f64283f
Add parsing for Record Size Limit extension in TLS 1.3
...
Fixes #7007
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-14 08:41:25 +01:00
Paul Elliott
e4622a3436
Merge remote-tracking branch 'development/development' into development-restricted
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-13 17:49:32 +00:00
Manuel Pégourié-Gonnard
43cc127d3a
Fix code style
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b8b07aa24a
Handle errors from functions that now return int
...
A few functions were changed from returning void to returning int three
commits ago. Make sure their callers check the return values.
This commits was basically a matter of declaring newly-int-returning
functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting
warnings. A few functions had to be made int in the process; they were
applied the same process as well.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Ronald Cron
d89360b87b
Fix and improve documentation, comments and logs
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-21 14:57:25 +01:00
Ronald Cron
25e9ec61f0
tls13: server: Select preferred cipher suite
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
Ronald Cron
fc7ae87ad4
tls13: server: Check ciphersuite list length parity once
...
Check ciphersuite list length parity once,
mainly to enable the possibility of getting
out of the loop of the ciphersuites whenever
we want.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
Ronald Cron
606671e06e
tls13: server: Check mbedtls_ssl_set_hs_psk returned value
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
Pengyu Lv
52ad333040
simplify helper function name
...
Rename ssl_tls13_check_psk_mode_allowed_by_ticket to
ssl_tls13_ticket_permission_check
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-14 14:32:37 +08:00
Xiaokang Qian
934ce6f6a9
Rename the finalize_client{server}_hello()
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Pengyu Lv
306a01da4d
refactor: move ticket_flags check into a function
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-02 16:57:49 +08:00
Pengyu Lv
766796839b
Revert "TLS 1.3: SRV: Validate kex modes when parsing psk"
...
This reverts commit f8e50a9607
.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-02 16:57:42 +08:00
Pengyu Lv
dadeb20383
TLS 1.3: SRV: Don't select ephemeral mode on resumption
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:42:26 +08:00
Pengyu Lv
f8e50a9607
TLS 1.3: SRV: Validate kex modes when parsing psk
...
On resumption, after the psk identity is matched, we
should check if psk and/or psk_ephemeral, which are
allowed by session ticket, are valid to be selected.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:42:12 +08:00
Pengyu Lv
0b740bc85b
TLS 1.3: SRV: Check ticket_flags in kex mode determination
...
When determining the key exchange mode, ticket_flags
should be checked so that the server won't select the
kex mode that is forbidden from session ticket.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:37:57 +08:00
Pengyu Lv
e2f1dbf5ae
update docs of ssl_client2 and improve code format
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 12:38:12 +08:00
Pengyu Lv
4938a566bf
refine ticket_flags printing helper
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:28:49 +08:00
Pengyu Lv
3643fdbab9
refine the state setting in tls13_handshake_wrapup
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:06:02 +08:00
Pengyu Lv
189465306d
remove MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE error
...
Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags
are not compatible with advertised key exchange mode.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:06:00 +08:00
Pengyu Lv
80270b2151
rename ticket_flags helper functions to generic ones
...
Ticket flags is quite generic and may make sense in the
future versions of TLS or even in TLS 1.2 with new
extensions. This change remane the ticket_flags helper
functions with more generic `mbedtls_ssl_session` prefix
instead of `mbedtls_ssl_tls13_session`.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:59 +08:00
Pengyu Lv
a1aa31b8b1
fix review comments
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:58 +08:00
Pengyu Lv
9eacb44a5e
improve code format and readability
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:57 +08:00
Pengyu Lv
e6487fe3c2
guard tls13_kex_modes related function calls with macro
...
Handshake parameter field, tls13_kex_mode is only valid when
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED is set.
So, any functions / calls should be guarded by this macros.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:55 +08:00
Pengyu Lv
3eb49be6a8
move kex mode check in ticket_flags to psks_check_identity_match_ticket
...
Move the kex mode check in ticket_flags to
ssl_tls13_offered_psks_check_identity_match_ticket and add new error
'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check
failure.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:55 +08:00
Pengyu Lv
c7af2c4f8c
tls13: send new session ticket only when client supports psk
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:54 +08:00
Pengyu Lv
c55eeb682d
tls13: check if the session ticket is compatible with key exchange modes
...
The server check if the ticket_flags is compatible with the advertised
key exchange modes in Pre-Shared Key Exchange Modes extension. The
incompatible ticket should be mark as not matched.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:53 +08:00
Pengyu Lv
9f92695c8d
tls13: set key exchange mode in ticket_flags on client/server
...
Set the ticket_flags when:
- server: preparing NST (new session ticket) message
- client: postprocessing NST message
Clear the ticket_flags when:
- server: preparing NST message
- client: parsing NST message
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:53 +08:00
Gilles Peskine
449bd8303e
Switch to the new code style
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Jerry Yu
141bbe7bee
tls13: Adjust include files
...
- remove duplicate and unused included
- Adjust the order to system, mbedtls global, local.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Tom Cosgrove
1797b05602
Fix typos prior to release
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-04 17:19:59 +00:00
Jerry Yu
a8d3c5048f
Rename new session ticket name for TLS 1.3
...
NewSessionTicket is different with TLS 1.2.
It should not share same state.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
Jerry Yu
97be6a913e
fix various issues
...
- typo error
- replace `ssl->hanshake` with handshake
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-09 22:43:31 +08:00
Jerry Yu
7de2ff0310
Refactor extension list print
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:39 +08:00
Jerry Yu
79aa721ade
Rename ext print function and macro
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:39 +08:00
Jerry Yu
b95dd3683b
Add missing mask set and tls13 unrecognized extension
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:38 +08:00
Jerry Yu
c437ee3bac
fix wrong return value
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 21:04:15 +08:00
Jerry Yu
e5991328ff
fix tls13 psk only test fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 16:16:29 +08:00
Jerry Yu
50e00e3ac6
Refactor server hello
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:22 +08:00
Jerry Yu
edab637b51
Refactor new session ticket
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:22 +08:00
Jerry Yu
63a459cde5
Refactor client_hello parser and writer
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:21 +08:00
Jerry Yu
4b8f2f7266
Refactor sent extension message output
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:21 +08:00
Jerry Yu
c4bf5d658e
fix various issues
...
- Signature of
- mbedtls_tls13_set_hs_sent_ext_mask
- check_received_extension and issues
- Also fix comment issue.
- improve readablity.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
Jerry Yu
0c354a211b
introduce sent/recv extensions field
...
And remove `extensions_present`
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
Jerry Yu
e18dc7eb9a
Add forbidden extensions check for ClientHello
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
Jerry Yu
471dee5a12
Add debug helpers to track extensions
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
Ronald Cron
04e2133f45
Merge pull request #6482 from ronald-cron-arm/tls13-misc
...
TLS 1.3: Update documentation for the coming release and misc
2022-10-28 11:09:03 +02:00
Ronald Cron
eac00ad2a6
tls13: server: Note down client not being authenticated in SSL context
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-25 20:02:03 +02:00
Gilles Peskine
744fd37d23
Merge pull request #6467 from davidhorstmann-arm/fix-unusual-macros-0
...
Fix unusual macros
2022-10-25 19:55:29 +02:00
Ronald Cron
766c0cdb1f
tls13: Add missing kex guards
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
41a443a68d
tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED
...
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard
code specific to one of the TLS 1.3 key exchange mode with
PSK.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
928cbd34e7
tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
...
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED to guard
code specific to the TLS 1.3 ephemeral key exchange mode.
Use it also for the dependencies of TLS 1.3 only tests
relying on ephemeral key exchange mode, but for
tests in tls13-kex-modes.sh where the change is done
later using all
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_.*ENABLED macros.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
49e4184812
Merge pull request #6299 from xkqian/tls13_add_servername_check
...
Add server name check when proposing pre-share key
2022-10-13 16:00:59 +02:00
Gilles Peskine
0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2
...
Include platform.h unconditionally
2022-10-13 10:19:22 +02:00
Xiaokang Qian
28af501cae
Fix the ticket_lifetime equal to 0 issue
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-10-13 08:18:19 +00:00
Xiaokang Qian
be98f96de2
Remove useless hostname check in server side
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-10-12 11:03:44 +00:00
Xiaokang Qian
281fd1bdd8
Add server name check when proposeing pre-share key
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-10-12 11:03:41 +00:00
Jerry Yu
c2bfaf00d9
fix wrong typo
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-11 18:07:19 +08:00
Jerry Yu
03aa174d7c
Improve test message and title
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-10 21:48:37 +08:00
Jerry Yu
a99cbfa2d3
fix various issues
...
- rename function and variable
- change signature of `ssl_tls13_has_configured_psk`
- remove unnecessary statements
- remove unnecessary local variables
- wrong variable initial value
- improve output message
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-08 14:35:47 +08:00
David Horstmann
21b89761f8
Refactor macro-spanning if in ssl_tls13_server.c
...
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2022-10-07 14:08:42 +01:00
Jerry Yu
25ab654781
Add dummy ticket support
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-07 10:11:05 +08:00
Manuel Pégourié-Gonnard
e3358e14b2
Merge pull request #6051 from mprse/permissions_2b_v2
...
Permissions 2b: TLS 1.3 sigalg selection
2022-09-28 09:50:04 +02:00
Ronald Cron
b72dac4ed7
Fix PSA identifier of RSA_PKCS1V15 signing algorithms
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-09-27 09:25:47 +02:00
Paul Elliott
2c282c9bd0
Merge pull request #6180 from yuhaoth/pr/add-tls13-multiple-session-tickets
...
TLS 1.3: NewSessionTicket: Add support for sending multiple tickets per session.
2022-09-23 15:48:33 +01:00
Jerry Yu
359e65f784
limit session ticket number when resumption
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-22 23:47:43 +08:00
Gilles Peskine
07ba2be20b
Merge pull request #6304 from yuhaoth/pr/exclude-pre_shared_key-from-hrr-msg
...
TLS 1.3: PSK: Exclude pre_shared_key for HRR
2022-09-22 10:21:06 +02:00
Jerry Yu
b7e3fa7fbd
move count decrement after success sent
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-22 13:21:29 +08:00
Jerry Yu
d0766eca58
fix various issues
...
- Improve comments
- Align count variable name to `new_session_tickets_count`
- move tickets_count init to handshake init
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-22 13:21:29 +08:00
Ronald Cron
67ea2543ed
tls13: server: Add sig alg checks when selecting best certificate
...
When selecting the server certificate based on
the signature algorithms supported by the client,
check the signature algorithms as close as possible
to the way they are checked to compute the
signature for the server to prove it possesses
the private key associated to the certificate.
That way we minimize the odds of selecting a
certificate for which the server will not be
able to compute the signature to prove it
possesses the private key associated to the
certificate.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-09-20 14:26:32 +02:00
Jerry Yu
d4e7500a07
Enable multi session tickets on Server
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-19 14:24:03 +08:00
Ronald Cron
be0224aef3
Merge pull request #6167 from yuhaoth/pr/finalize-tls13-session-tickets
2022-09-18 21:18:13 +02:00
Jerry Yu
ad4d2bb3e1
Exclude pre_shared_key for HRR
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-16 18:16:49 +08:00
Gilles Peskine
945b23c46f
Include platform.h unconditionally: automatic part
...
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.
There should be no change in behavior since just including the header should
not change the behavior of a program.
This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:
```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-15 20:33:07 +02:00
Jerry Yu
0a55cc647c
Remove unnecessary var and improve comment
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-15 16:15:06 +08:00
Jerry Yu
f7dad3cfbe
fix various issues
...
- Naming
- format
- Reduce negative tolerance window
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-14 22:31:39 +08:00
Jerry Yu
acff823846
Add negative tolerance window
...
If `now == session->start` or the timer of
client is faster than server, client age might
be bigger than server.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-14 14:50:44 +08:00
Jerry Yu
4746b10c2e
fix various issues
...
- Format issues
- Possible memory leak
- Improve naming and comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-13 15:37:46 +08:00
Jerry Yu
8d4bbbae4f
fix ticket age check issues
...
- Ticket age and ticket age add, obfuscated age
use different unit. Align the units to million
seconds.
- Add maximum ticket age check. Until now,
ticket_lifetime is not recorded in server side.
Check it with maximum ticket_lifetime.
- Free session when error found.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-13 15:37:46 +08:00
Jerry Yu
466dda8553
Rename resumption master secret compute function
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-13 14:28:15 +08:00
Jerry Yu
58af2335d9
Add possible group tests for psk with ECDHE
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-06 14:49:39 +08:00
Jerry Yu
fd310ebf2d
fix coding style issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-09-06 09:16:35 +08:00
Jerry Yu
8253486c4f
Add session ticket support for server
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-31 23:24:25 +08:00
Jerry Yu
95699e72f3
Add session ticket identity check
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-31 23:24:25 +08:00
Jerry Yu
1e05b6dd6d
fix coding style and unnecessary assignment
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-31 10:35:52 +08:00
Jerry Yu
e5834fd0d7
remove unnecessary test
...
also optimize check sum
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-29 20:33:33 +08:00
Jerry Yu
0baf907e11
remove select_ciphersuite
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-25 11:21:04 +08:00
Jerry Yu
c5a23a0f12
fix various issues
...
- code style
- variable initialize
- update comments
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-25 11:09:35 +08:00
Jerry Yu
f35ba384ff
Add select ciphersuite entry function
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-23 22:01:58 +08:00
Jerry Yu
dd1bef788e
Add ciphersuite_info check
...
return null if no valid ciphersuite info
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-23 17:57:02 +08:00
Jerry Yu
29d9faa468
fix various issues.
...
- comments issues
- code format style issues
- naming improvement.
- error return improvements
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-23 17:53:43 +08:00
Jerry Yu
5725f1cf3a
Align ciphersuite with overwrite.
...
Selected ciphersuite MUST be same with ciphsersuite of PSK.
Overwrite the old ciphersuite with the one of PSK.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-21 17:50:27 +08:00
Jerry Yu
9f7f646b11
Revert "remove psk key when ephemeral selected"
...
This reverts commit 5c28e7aa0e
.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-21 12:59:17 +08:00
Jerry Yu
e9d4fc09a3
fix binder value security issue
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-21 12:59:17 +08:00
Jerry Yu
24b8c813c4
fix comments and wrong initial value issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-21 12:55:45 +08:00
Jerry Yu
6cf6b47b5c
fix format and comment issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-21 12:54:53 +08:00
Jerry Yu
5c28e7aa0e
remove psk key when ephemeral selected
...
ephemeral is selected, `handshake->psk` must be removed.
Otherwise the encrypt key will be caculate fail.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Jerry Yu
56acc9421c
Write key_share base on key_exchange mode.
...
In ServerHello, write key share should base on key_exchange mode, not
base on configuration.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Jerry Yu
f0bad2554a
Continue check next psk key when binder mismatch
...
with matched identity and mismatch binder, should check next psk key.
Exit with error will break multi-psk cases.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Jerry Yu
32e1370fbc
Add config check for pre_shared_key parser
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Jerry Yu
e95c8af266
Align ciphersuite with psk key
...
With OpenSSL and GnuTLS client, if the MAC of ciphersuite
does not match selected binder, client will reject connection.
This change is to select ciphersuite base on algo of psk binder.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Jerry Yu
40f3771e18
Add handshake psk export function.
...
Rename `ssl_tls13_get_psk` and export the
function.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-08-11 21:25:35 +08:00
Thomas Daubney
31e03a8e15
Replace hard-coded zeroes for constant
...
Replace two occurances of hard-coded zero for
MBEDTLS_SSL_COMPRESS_NULL in TLS 1.3 code.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2022-07-26 16:13:23 +01:00
Ronald Cron
e579ece305
Merge pull request #6087 from yuhaoth/pr/add-tls13-serialize_session_save_load
...
TLS 1.3: Add serialize session save load
I can see that https://github.com/Mbed-TLS/mbedtls/pull/6087#discussion_r927935696 and https://github.com/Mbed-TLS/mbedtls/pull/6087#discussion_r924252403 are addressed in #6123 . Thus I am ok to merge it as it is.
2022-07-23 08:57:11 +02:00
Ronald Cron
340c559cb3
Merge pull request #6079 from yuhaoth/pr/add-tls13-parse-pre_shared_key_offered_psks
...
TLS 1.3: PSK: Add parser/writer of pre_shared_key extension on server side.
2022-07-23 08:50:45 +02:00
Jerry Yu
13ab81d5ac
Add handshake failure in pre_shared_key withou psk_kex_modes
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 23:17:11 +08:00
Jerry Yu
a66fecebe7
Add endpoint/ticket_flag field for session
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 23:08:43 +08:00
Jerry Yu
6f1db3fc92
fix format and potential non-PSK fail issue
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 23:05:59 +08:00
Jerry Yu
ce6ed7076a
Change the order of key_exchange determine
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 21:49:53 +08:00
Jerry Yu
ba9b6e9e53
fix unkown identity case
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 21:45:05 +08:00
Jerry Yu
568ec2502a
fix format/name issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 21:27:34 +08:00
Jerry Yu
2f0abc94d8
fix typo/type/format issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-22 19:34:48 +08:00
Jerry Yu
77f0148e11
Add psk/psk_ephemeral key exchange check
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 23:27:22 +08:00
Ronald Cron
32578b3bd0
Merge pull request #6069 from yuhaoth/pr/add-tls13-write-new-session-ticket
...
TLS 1.3:add tls13 write new session ticket
Validated by the internal CI and Travis.
2022-07-21 16:17:35 +02:00
Jerry Yu
96a2e368dc
TLS 1.3: Add pre-shared-key multiple psk parser
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 18:00:13 +08:00
Jerry Yu
6119715e05
Change type cast to size_t
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:28:02 +08:00
Jerry Yu
1c9247cff4
TLS 1.3: Add pre_share_key last ext check
...
From RFC, pre_share_key must be the last one.
Add check for it. And with/without psk, it should
be check
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
352cd7db59
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
daf375aa8b
fix issues of check_binder_match
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
bb852029f4
fix naming issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
6e74a7e3c7
Add check return flags
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
997549353e
fix various code format issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
032b15ce5e
Add write selected_identity
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
1c105560b4
add offered psks parser
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 16:19:50 +08:00
Jerry Yu
fca4d579a4
fix various issues
...
- unnecessary comments
- format issue
- improve readability
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-21 10:37:48 +08:00
Ronald Cron
799077177b
TLS 1.3: Use selected key exchange mode field
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-07-20 17:49:58 +02:00
Jerry Yu
6cb4fcd1a5
Remove key exchange mode check.
...
This change does not meet RFC requirements.
It should be revert after key exchange mode issue
fixed
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-20 22:41:00 +08:00
Jerry Yu
e67bef4aba
Add tls13 write new session ticket
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-20 22:41:00 +08:00
Jerry Yu
854dd9e23f
fix comment issue
...
Co-authored-by: Xiaokang Qian <53458466+xkqian@users.noreply.github.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-15 14:38:38 +08:00
Jerry Yu
299e31f10e
fix various issue
...
- remove unused test case
- add alert message
- improve readabitlity
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-13 23:06:36 +08:00
Jerry Yu
e19e3b9eb8
Add psk_key_exchange_modes parser
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-12 09:53:35 +00:00
Ronald Cron
ce7d76e2ee
Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr
2022-07-11 10:22:37 +02:00
Jerry Yu
9d3e2fa372
Add negative tests
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:19:06 +08:00
Jerry Yu
cc5391048e
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:18:30 +08:00
Jerry Yu
aebaaaf527
add debug messages
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:16:09 +08:00
Jerry Yu
d099cf0325
fix unused variable issue
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:13:47 +08:00
Jerry Yu
f55886a217
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:13:46 +08:00
Jerry Yu
fb526693c1
Rename sig_alg cert_key check
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:13:45 +08:00
Jerry Yu
f249ef7821
refactor get sig algo from pk
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-06-29 16:13:40 +08:00
Ronald Cron
7898fd456a
Merge pull request #5970 from gabor-mezei-arm/5229_Send_dummy_change_cipher_spec_records_from_server
...
TLS 1.3 server: Send dummy change_cipher_spec records
The internal CI PR-merge job ran successfully thus good to go.
2022-06-29 09:47:49 +02:00
Gabor Mezei
f7044eaec8
Fix name
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 16:01:49 +02:00
Gabor Mezei
96ae926572
Typo
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 11:56:26 +02:00
Gabor Mezei
5471912269
Move switching to handshake transform after sending CCS record
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 11:56:26 +02:00
Ronald Cron
7b8404608a
tls13: Rename ssl_tls13_write_hello_retry_request_coordinate
...
Rename ssl_tls13_write_hello_retry_request_coordinate to
ssl_tls13_prepare_hello_retry_request as it is more
aligned with what the function does.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
63dc463ed6
tls13: Simplify switch to the inbound handshake keys on server side
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
154d1b68d6
tls13: Fix wrong usage of MBEDTLS_SSL_CHK_BUF(_READ)_PTR macros
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
b94854f8e3
Merge pull request #5973 from ronald-cron-arm/tls13-misc-tests
...
TLS 1.3: Enable and add tests
2022-06-28 09:15:17 +02:00
Ronald Cron
1938588e80
tls13: Align some debug messages with TLS 1.2 ones
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-24 12:06:46 +02:00
XiaokangQian
95d5f549f1
Fix coding styles
...
Change-Id: I0ac8ddab13767b0188112dfbbdb2264d36ed230a
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-24 05:42:15 +00:00
Gabor Mezei
7b39bf178e
Send dummy change_cipher_spec records from TLS 1.3 server
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-22 17:07:21 +02:00
XiaokangQian
acb3992251
Add ALPN extension to the server side
...
CustomizedGitHooks: yes
Change-Id: I6fe1516963e7b5727710872ee91fea7fc51d2776
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-22 06:34:58 +00:00
Manuel Pégourié-Gonnard
a3115dc0e6
Mark static int SSL functions CHECK_RETURN_CRITICAL
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-06-20 21:12:52 +02:00
Ronald Cron
ca3c6a5698
Merge pull request #5817 from xkqian/tls13_add_server_name
...
Tls13 add server name
2022-06-16 08:30:09 +02:00
XiaokangQian
75fe8c7e54
Change place of ssl_tls13_check_ephemeral_key_exchange
...
Change-Id: Id49172f7375e2a0771ad1216fb7eead808f0db3e
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-15 09:42:45 +00:00
XiaokangQian
fb665a8452
Adress the comments about styles and pick_cert
...
Change-Id: Iee89a27aaea6ebc8eb01c6c9985487f081ef7343
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-15 03:57:21 +00:00
XiaokangQian
07aad0710c
Refine function name ssl_tls13_pick_key_cert
...
Change-Id: I821e1485d9cfcca88fa3e18d345766ea48c64250
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-14 05:35:09 +00:00
XiaokangQian
81802f43a2
Select certificate base on the received signature list
...
Change-Id: Ife707db7fcfdb1e761ba86804cbf5dd766a5ee33
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-13 03:58:06 +00:00
XiaokangQian
96287d98d8
Remove the certificate key check against the received signature
...
Change-Id: I07d8d46c58dec499f96cb7307fc0af15149d9df7
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-08 08:37:53 +00:00
XiaokangQian
9850fa8e8d
Refine ssl_tls13_pick_cert()
...
Change-Id: I5448095e280d8968b20ade8b304d139e399e54f1
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-08 07:02:41 +00:00
XiaokangQian
23c5be6b94
Enable SNI test for both tls12 and tls13
...
Change-Id: Iae5c39668db7caa1a59d7e67f226a5286d91db22
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-07 09:43:13 +00:00
Ronald Cron
209cae9c42
tls13: server: Fix state update in CLIENT_CERTIFICATE
...
The state should be updated only if the handler
returns in success.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-07 10:58:22 +02:00
XiaokangQian
129aeb9b0e
Update test cases and support sni ca override
...
Change-Id: I6052acde0b0ec1c25537f8dd81a35562da05a393
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-02 09:29:18 +00:00
XiaokangQian
9b2b7716b0
Change mbedtls_ssl_parse_server_name_ext base on comments
...
Change-Id: I4ae831925cb1899afafb7dc626bfad9be24a5c8c
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-30 08:07:16 +00:00
XiaokangQian
40a3523eb7
Add support of server name extension to server side
...
Change-Id: Iccf5017e306ba6ead2e1026a29f397ead084cc4d
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-30 08:07:16 +00:00
XiaokangQian
aca9048b5f
Change base on review
...
Fix comments
Add test cases for client authentication with empty certificate
Change-Id: Id8a741ddd997ca92e36832f26088eb0e67830ad8
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-26 00:47:11 +00:00
XiaokangQian
989f06d52d
Change some comments base on review
...
Change-Id: I3db2b8ca8162eb368d2f17dfeffee8b25f9edf6f
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-26 00:47:11 +00:00
XiaokangQian
c3017f620f
Remove useless guards and refine checking
...
Change-Id: I9cd3073826fc65c203e479d83bed72331ff8963d
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-26 00:47:10 +00:00
XiaokangQian
189ded2b07
Remove coordinate functions and change state machine in server side
...
Change-Id: Id4abf78f493e77afc289409db691c9c61acde1d2
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-26 00:46:13 +00:00
XiaokangQian
6b916b1616
Add client certificate parse and certificate verify
...
Change-Id: I638db78922a03db6f8bd70c6c5f56fb60365547d
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-26 00:40:53 +00:00
Paul Elliott
8fba70f66c
Merge pull request #5749 from yuhaoth/pr/add-tls13-finished-message-and-wrapup
...
TLS 1.3: Add Finished Message and wrapup
2022-05-25 12:02:06 +01:00
Jerry Yu
e3d67cb263
Improve readability
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-19 15:33:10 +08:00
bootstrap-prime
6dbbf44d78
Fix typos in documentation and constants with typo finding tool
...
Signed-off-by: bootstrap-prime <bootstrap.prime@gmail.com>
2022-05-18 14:15:33 -04:00
Jerry Yu
bb2d47d956
Remove not used state
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 16:57:45 +08:00
Jerry Yu
e8c1fca67c
move trafic set to generic
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 16:57:45 +08:00
Jerry Yu
d6e253ded9
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 16:57:45 +08:00
Jerry Yu
4d8567fa9e
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 09:58:48 +08:00
Jerry Yu
03ed50ba6a
Add handshake wrapup
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 09:58:48 +08:00
Jerry Yu
ff2269889d
Add client finished
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 09:58:48 +08:00
Jerry Yu
27bdc7c6b6
Implement write server finish
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 09:58:48 +08:00
Jerry Yu
69dd8d4091
tls13:finished:add dummy frame work
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-18 09:58:48 +08:00
Ronald Cron
9edf51d8cd
Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext
...
Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3
CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h.
@RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
2022-05-17 17:01:55 +02:00
Jerry Yu
b89125b81a
Add test without server certificate
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-13 15:50:04 +08:00
Jerry Yu
23d1a256ec
fix hrr handler undefine fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 20:11:16 +08:00
Jerry Yu
5a26f3000d
Refactor cert exchange states
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:59 +08:00
Jerry Yu
f1c3c4e77c
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:59 +08:00
Jerry Yu
c6e6dbf2e7
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:59 +08:00
Jerry Yu
4ff9e14356
Add server certificate verfiy
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:14 +08:00
Jerry Yu
1bff711a36
tls13:server:add server certificate writing
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:14 +08:00
Jerry Yu
83da34eb59
tls13:server:add dummy write certificate
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-12 14:44:14 +08:00
Gabor Mezei
078e803d2c
Unify parsing of the signature algorithms extension
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:08 +02:00
Jerry Yu
f41553b662
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 22:20:30 +08:00
Jerry Yu
ead5cce22c
improve readability
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:58:50 +08:00
Jerry Yu
4ca9140d43
fix coding style issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:55:39 +08:00
Jerry Yu
66d9e6f405
refactor next state of client hello
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:49:11 +08:00
Jerry Yu
4833056833
fix ci test fails
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:49:11 +08:00
Jerry Yu
7f157eb31f
Change alert message
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:49:11 +08:00
Jerry Yu
b8ac19a296
send alert when second hrr needed
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-05-09 15:49:09 +08:00