mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-18 05:42:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enforce maximum size of early data in case of HRR

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2024-02-09 16:17:10 +01:00
parent 919e596c05
commit 01d273d31f
3 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
library/ssl_msg.c
View File

@ -4135,7 +4135,12 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) { if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: Ignore application message before 2nd ClientHello")); 3, ("EarlyData: Ignore application message before 2nd ClientHello"));
/* TODO: Add max_early_data_size check here, see issue 6347 */
ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
if (ret != 0) {
return ret;
}
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) { } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;

9
tests/suites/test_suite_ssl.data
View File

@ -3327,3 +3327,12 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3
TLS 1.3 srv, max early data size, server rejects, max=97 TLS 1.3 srv, max early data size, server rejects, max=97
tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97 tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97
TLS 1.3 srv, max early data size, HRR, default
tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1
TLS 1.3 srv, max early data size, HRR, max=3 (very small)
tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3
TLS 1.3 srv, max early data size, HRR, max=97
tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97

19
tests/suites/test_suite_ssl.function
View File

@ -4463,6 +4463,11 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
mbedtls_test_handshake_test_options server_options; mbedtls_test_handshake_test_options server_options;
mbedtls_ssl_session saved_session; mbedtls_ssl_session saved_session;
mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
uint16_t group_list[3] = {
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE
};
char pattern[128]; char pattern[128];
unsigned char buf_write[64]; unsigned char buf_write[64];
size_t early_data_len = sizeof(buf_write); size_t early_data_len = sizeof(buf_write);
@ -4484,8 +4489,10 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
*/ */
client_options.pk_alg = MBEDTLS_PK_ECDSA; client_options.pk_alg = MBEDTLS_PK_ECDSA;
client_options.group_list = group_list;
client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.pk_alg = MBEDTLS_PK_ECDSA;
server_options.group_list = group_list;
server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
server_options.max_early_data_size = max_early_data_size_arg; server_options.max_early_data_size = max_early_data_size_arg;
@ -4512,6 +4519,15 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
mbedtls_debug_set_threshold(3); mbedtls_debug_set_threshold(3);
break; break;
case TEST_EARLY_DATA_HRR:
server_options.group_list = group_list + 1;
ret = mbedtls_snprintf(
pattern, sizeof(pattern),
"EarlyData: Ignore application message before 2nd ClientHello");
TEST_ASSERT(ret < (int) sizeof(pattern));
mbedtls_debug_set_threshold(3);
break;
default: default:
TEST_FAIL("Unknown scenario."); TEST_FAIL("Unknown scenario.");
} }
@ -4595,7 +4611,8 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
} }
break; break;
case TEST_EARLY_DATA_SERVER_REJECTS: case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
case TEST_EARLY_DATA_HRR:
ret = mbedtls_ssl_handshake(&(server_ep.ssl)); ret = mbedtls_ssl_handshake(&(server_ep.ssl));
/* /*
* Can be the case if max_early_data_size is smaller then the * Can be the case if max_early_data_size is smaller then the