mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-07 13:22:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #7353 from xkqian/tls13_fix_code_style

Browse Source 
Improve code styles for tls13 related files
This commit is contained in:
Dave Rodgman 2023-04-11 09:18:22 +01:00 committed by GitHub
commit 22d9ff6d3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 362 additions and 315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
library/ssl_tls13_client.c
View File

@ -117,7 +117,8 @@ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
} }
if (&buf[2] != end) { if (&buf[2] != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("supported_versions ext data length incorrect")); MBEDTLS_SSL_DEBUG_MSG(
1, ("supported_versions ext data length incorrect"));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR); MBEDTLS_ERR_SSL_DECODE_ERROR);
return MBEDTLS_ERR_SSL_DECODE_ERROR; return MBEDTLS_ERR_SSL_DECODE_ERROR;
@ -227,8 +228,8 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
} }
for (; *group_list != 0; group_list++) { for (; *group_list != 0; group_list++) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list, if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
NULL, NULL) == PSA_SUCCESS) && *group_list, NULL, NULL) == PSA_SUCCESS) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) { mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
*group_id = *group_list; *group_id = *group_list;
return 0; return 0;
@ -352,7 +353,8 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
/* Output the total length of key_share extension. */ /* Output the total length of key_share extension. */
*out_len = p - buf; *out_len = p - buf;
MBEDTLS_SSL_DEBUG_BUF(3, "client hello, key_share extension", buf, *out_len); MBEDTLS_SSL_DEBUG_BUF(
3, "client hello, key_share extension", buf, *out_len);
mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
@ -402,8 +404,8 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
* then the client MUST abort the handshake with an "illegal_parameter" alert. * then the client MUST abort the handshake with an "illegal_parameter" alert.
*/ */
for (; *group_list != 0; group_list++) { for (; *group_list != 0; group_list++) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list, if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) || *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
*group_list != selected_group) { *group_list != selected_group) {
continue; continue;
} }
@ -472,9 +474,9 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
/* Check that the chosen group matches the one we offered. */ /* Check that the chosen group matches the one we offered. */
offered_group = ssl->handshake->offered_group_id; offered_group = ssl->handshake->offered_group_id;
if (offered_group != group) { if (offered_group != group) {
MBEDTLS_SSL_DEBUG_MSG(1, MBEDTLS_SSL_DEBUG_MSG(
("Invalid server key share, our group %u, their group %u", 1, ("Invalid server key share, our group %u, their group %u",
(unsigned) offered_group, (unsigned) group)); (unsigned) offered_group, (unsigned) group));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@ -488,8 +490,9 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", MBEDTLS_SSL_DEBUG_MSG(
mbedtls_ssl_get_curve_name_from_tls_id(group))); 2,
("ECDH curve: %s", mbedtls_ssl_get_curve_name_from_tls_id(group)));
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p); ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);
if (ret != 0) { if (ret != 0) {
@ -1410,8 +1413,8 @@ static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
* } ServerHello; * } ServerHello;
* *
*/ */
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SSL_CHK_BUF_READ_PTR(
2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)); buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic, if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) { sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
@ -1464,9 +1467,9 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
*/ */
ssl->keep_current_message = 1; ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_SERVER_HELLO, ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
buf, (size_t) (end - buf))); buf, (size_t) (end - buf)));
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_reset_key_share(ssl); ret = ssl_tls13_reset_key_share(ssl);
@ -1492,15 +1495,16 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
break; break;
case SSL_SERVER_HELLO_HRR: case SSL_SERVER_HELLO_HRR:
MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message")); MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
/* If a client receives a second /* If a client receives a second HelloRetryRequest in the same
* HelloRetryRequest in the same connection (i.e., where the ClientHello * connection (i.e., where the ClientHello was itself in response
* was itself in response to a HelloRetryRequest), it MUST abort the * to a HelloRetryRequest), it MUST abort the handshake with an
* handshake with an "unexpected_message" alert. * "unexpected_message" alert.
*/ */
if (handshake->hello_retry_request_count > 0) { if (handshake->hello_retry_request_count > 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received")); MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
} }
/* /*
@ -1861,20 +1865,25 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
* exchange mode is EPHEMERAL-only. * exchange mode is EPHEMERAL-only.
*/ */
switch (handshake->received_extensions & switch (handshake->received_extensions &
(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) { (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
/* Only the pre_shared_key extension was received */ /* Only the pre_shared_key extension was received */
case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY): case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
break; break;
/* Only the key_share extension was received */ /* Only the key_share extension was received */
case MBEDTLS_SSL_EXT_MASK(KEY_SHARE): case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
break; break;
/* Both the pre_shared_key and key_share extensions were received */ /* Both the pre_shared_key and key_share extensions were received */
case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | MBEDTLS_SSL_EXT_MASK(KEY_SHARE)): case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
break; break;
/* Neither pre_shared_key nor key_share extension was received */ /* Neither pre_shared_key nor key_share extension was received */
@ -1917,15 +1926,15 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_conf_tls13_check_kex_modes( if (!mbedtls_ssl_conf_tls13_check_kex_modes(
ssl, handshake->key_exchange_mode)) { ssl, handshake->key_exchange_mode)) {
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
MBEDTLS_SSL_DEBUG_MSG(2, MBEDTLS_SSL_DEBUG_MSG(
("Key exchange mode(%s) is not supported.", 2, ("Key exchange mode(%s) is not supported.",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode))); ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
goto cleanup; goto cleanup;
} }
MBEDTLS_SSL_DEBUG_MSG(3, MBEDTLS_SSL_DEBUG_MSG(
("Selected key exchange mode: %s", 3, ("Selected key exchange mode: %s",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode))); ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
/* Start the TLS 1.3 key scheduling if not already done. /* Start the TLS 1.3 key scheduling if not already done.
* *
@ -2009,9 +2018,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__)); MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
MBEDTLS_SSL_HS_SERVER_HELLO, ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
&buf, &buf_len));
ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len); ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
if (ret < 0) { if (ret < 0) {
@ -2032,9 +2040,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
} }
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_SERVER_HELLO, buf, ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
buf_len));
if (is_hrr) { if (is_hrr) {
MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl)); MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
@ -2043,8 +2050,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
* immediately before its second flight. This may either be before * immediately before its second flight. This may either be before
* its second ClientHello or before its encrypted handshake flight. * its second ClientHello or before its encrypted handshake flight.
*/ */
mbedtls_ssl_handshake_set_state(ssl, mbedtls_ssl_handshake_set_state(
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
#else #else
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
@ -2124,7 +2131,8 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_ALPN: case MBEDTLS_TLS_EXT_ALPN:
MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
if ((ret = ssl_tls13_parse_alpn_ext(ssl, p, (size_t) extension_data_len)) != 0) { if ((ret = ssl_tls13_parse_alpn_ext(
ssl, p, (size_t) extension_data_len)) != 0) {
return ret; return ret;
} }
@ -2148,10 +2156,12 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, p + extension_data_len); ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, p + extension_data_len);
/* TODO: Return unconditionally here until we handle the record size limit correctly. /* TODO: Return unconditionally here until we handle the record
* Once handled correctly, only return in case of errors. */ * size limit correctly. Once handled correctly, only return in
* case of errors. */
return ret; return ret;
break; break;
@ -2190,9 +2200,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
&buf, &buf_len)); &buf, &buf_len));
/* Process the message contents */ /* Process the message contents */
MBEDTLS_SSL_PROC_CHK( MBEDTLS_SSL_PROC_CHK(
@ -2205,9 +2215,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
} }
#endif #endif
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, buf_len)); buf, buf_len));
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
@ -2443,16 +2453,16 @@ static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
unsigned char *buf; unsigned char *buf;
size_t buf_len; size_t buf_len;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len)); &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(ssl, MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
buf, buf + buf_len)); ssl, buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
buf, buf_len)); buf, buf_len));
} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
ret = 0; ret = 0;
} else { } else {
@ -2614,8 +2624,8 @@ static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl); ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, MBEDTLS_SSL_DEBUG_RET(
"mbedtls_ssl_tls13_compute_resumption_master_secret ", ret); 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
return ret; return ret;
} }
@ -2995,7 +3005,8 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
if (ret == 0) { if (ret == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
} }
break; break;

134
library/ssl_tls13_generic.c
View File

@ -247,15 +247,17 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* RFC 8446 section 4.4.3 /* RFC 8446 section 4.4.3
* *
* If the CertificateVerify message is sent by a server, the signature algorithm * If the CertificateVerify message is sent by a server, the signature
* MUST be one offered in the client's "signature_algorithms" extension unless * algorithm MUST be one offered in the client's "signature_algorithms"
* no valid certificate chain can be produced without unsupported algorithms * extension unless no valid certificate chain can be produced without
* unsupported algorithms
* *
* RFC 8446 section 4.4.2.2 * RFC 8446 section 4.4.2.2
* *
* If the client cannot construct an acceptable chain using the provided * If the client cannot construct an acceptable chain using the provided
* certificates and decides to abort the handshake, then it MUST abort the handshake * certificates and decides to abort the handshake, then it MUST abort the
* with an appropriate certificate-related alert (by default, "unsupported_certificate"). * handshake with an appropriate certificate-related alert
* (by default, "unsupported_certificate").
* *
* Check if algorithm is an offered signature algorithm. * Check if algorithm is an offered signature algorithm.
*/ */
@ -350,17 +352,18 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
MBEDTLS_SSL_PROC_CHK( MBEDTLS_SSL_PROC_CHK(
mbedtls_ssl_tls13_fetch_handshake_msg(ssl, mbedtls_ssl_tls13_fetch_handshake_msg(
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len)); ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
/* Need to calculate the hash of the transcript first /* Need to calculate the hash of the transcript first
* before reading the message since otherwise it gets * before reading the message since otherwise it gets
* included in the transcript * included in the transcript
*/ */
ret = mbedtls_ssl_get_handshake_transcript(ssl, ret = mbedtls_ssl_get_handshake_transcript(
ssl->handshake->ciphersuite_info->mac, ssl,
transcript, sizeof(transcript), ssl->handshake->ciphersuite_info->mac,
&transcript_len); transcript, sizeof(transcript),
&transcript_len);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
@ -380,13 +383,13 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_IS_CLIENT); MBEDTLS_SSL_IS_CLIENT);
/* Process the message contents */ /* Process the message contents */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(ssl, buf, MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
buf + buf_len, verify_buffer, ssl, buf, buf + buf_len,
verify_buffer_len)); verify_buffer, verify_buffer_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
buf, buf_len)); buf, buf_len));
cleanup: cleanup:
@ -600,7 +603,8 @@ exit:
return MBEDTLS_ERR_SSL_DECODE_ERROR; return MBEDTLS_ERR_SSL_DECODE_ERROR;
} }
MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", ssl->session_negotiate->peer_cert); MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
ssl->session_negotiate->peer_cert);
return ret; return ret;
} }
@ -666,8 +670,9 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
return 0; return 0;
} else { } else {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT, MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE); MBEDTLS_SSL_ALERT_MSG_NO_CERT,
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
} }
} }
@ -754,7 +759,8 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
Pick one and send the corresponding alert. Which alert to send Pick one and send the corresponding alert. Which alert to send
may be a subject of debate in some cases. */ may be a subject of debate in some cases. */
if (verify_result & MBEDTLS_X509_BADCERT_OTHER) { if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
} else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE | } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
@ -762,15 +768,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
MBEDTLS_X509_BADCERT_NS_CERT_TYPE | MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
MBEDTLS_X509_BADCERT_BAD_PK | MBEDTLS_X509_BADCERT_BAD_PK |
MBEDTLS_X509_BADCERT_BAD_KEY)) { MBEDTLS_X509_BADCERT_BAD_KEY)) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) { } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
} else { } else {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret); MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
} }
} }
@ -815,9 +825,8 @@ int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
/* Validate the certificate chain and set the verification results. */ /* Validate the certificate chain and set the verification results. */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl)); MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_CERTIFICATE, buf, ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
buf_len));
cleanup: cleanup:
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
@ -923,18 +932,16 @@ int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_CERTIFICATE, &buf, ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
&buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl, MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
buf, buf,
buf + buf_len, buf + buf_len,
&msg_len)); &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_CERTIFICATE, buf, ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len)); ssl, buf_len, msg_len));
@ -1017,11 +1024,9 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }
ret = mbedtls_ssl_get_handshake_transcript(ssl, ret = mbedtls_ssl_get_handshake_transcript(
ssl->handshake->ciphersuite_info->mac, ssl, ssl->handshake->ciphersuite_info->mac,
handshake_hash, handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
sizeof(handshake_hash),
&handshake_hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -1128,16 +1133,16 @@ int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
&buf_len)); &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body( MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
ssl, buf, buf + buf_len, &msg_len)); ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
msg_len)); buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len)); ssl, buf_len, msg_len));
@ -1163,13 +1168,13 @@ static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
{ {
int ret; int ret;
ret = mbedtls_ssl_tls13_calculate_verify_data(ssl, ret = mbedtls_ssl_tls13_calculate_verify_data(
ssl->handshake->state_local.finished_in.digest, ssl,
sizeof(ssl->handshake->state_local.finished_in. ssl->handshake->state_local.finished_in.digest,
digest), sizeof(ssl->handshake->state_local.finished_in.digest),
&ssl->handshake->state_local.finished_in.digest_len, &ssl->handshake->state_local.finished_in.digest_len,
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT); MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
return ret; return ret;
@ -1228,17 +1233,17 @@ int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
MBEDTLS_SSL_HS_FINISHED, ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
&buf, &buf_len));
/* Preprocessing step: Compute handshake digest */ /* Preprocessing step: Compute handshake digest */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl)); MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len)); MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
ssl, buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
MBEDTLS_SSL_HS_FINISHED, buf, buf_len)); ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
cleanup: cleanup:
@ -1526,9 +1531,8 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
/* Convert EC's TLS ID to PSA key type. */ /* Convert EC's TLS ID to PSA key type. */
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(named_group, if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
&ec_psa_family, named_group, &ec_psa_family, &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
&ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
@ -1638,7 +1642,8 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
uint16_t record_size_limit; uint16_t record_size_limit;
const size_t extension_data_len = end - buf; const size_t extension_data_len = end - buf;
if (extension_data_len != MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) { if (extension_data_len !=
MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
MBEDTLS_SSL_DEBUG_MSG(2, MBEDTLS_SSL_DEBUG_MSG(2,
("record_size_limit extension has invalid length: %" ("record_size_limit extension has invalid length: %"
MBEDTLS_PRINTF_SIZET " Bytes", MBEDTLS_PRINTF_SIZET " Bytes",
@ -1668,9 +1673,8 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }
MBEDTLS_SSL_DEBUG_MSG(2, MBEDTLS_SSL_DEBUG_MSG(
( 2, ("record_size_limit extension is still in development. Aborting handshake."));
"record_size_limit extension is still in development. Aborting handshake."));
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

305
library/ssl_tls13_keys.c
View File

@ -455,25 +455,27 @@ int mbedtls_ssl_tls13_derive_early_secrets(
*/ */
/* Create client_early_traffic_secret */ /* Create client_early_traffic_secret */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
early_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic), early_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->client_early_traffic_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->client_early_traffic_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
/* Create early exporter */ /* Create early exporter */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
early_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master), early_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->early_exporter_master_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->early_exporter_master_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -515,13 +517,14 @@ int mbedtls_ssl_tls13_derive_handshake_secrets(
* Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
*/ */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
handshake_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic), handshake_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->client_handshake_traffic_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->client_handshake_traffic_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -531,13 +534,14 @@ int mbedtls_ssl_tls13_derive_handshake_secrets(
* Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
*/ */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
handshake_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic), handshake_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->server_handshake_traffic_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->server_handshake_traffic_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -578,35 +582,38 @@ int mbedtls_ssl_tls13_derive_application_secrets(
* *
*/ */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
application_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic), application_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->client_application_traffic_secret_N, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->client_application_traffic_secret_N,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
application_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic), application_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->server_application_traffic_secret_N, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->server_application_traffic_secret_N,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
application_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master), application_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->exporter_master_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->exporter_master_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -633,13 +640,14 @@ int mbedtls_ssl_tls13_derive_resumption_master_secret(
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
application_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master), application_secret, hash_len,
transcript, transcript_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master),
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, transcript, transcript_len,
derived->resumption_master_secret, MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
hash_len); derived->resumption_master_secret,
hash_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
@ -675,17 +683,19 @@ static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
/* /*
* Compute MasterSecret * Compute MasterSecret
*/ */
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, ret = mbedtls_ssl_tls13_evolve_secret(
handshake->tls13_master_secrets.handshake, hash_alg,
NULL, 0, handshake->tls13_master_secrets.handshake,
handshake->tls13_master_secrets.app); NULL, 0,
handshake->tls13_master_secrets.app);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
return ret; return ret;
} }
MBEDTLS_SSL_DEBUG_BUF(4, "Master secret", MBEDTLS_SSL_DEBUG_BUF(
handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg)); 4, "Master secret",
handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg));
return 0; return 0;
} }
@ -810,7 +820,8 @@ int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
} }
MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len); MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len);
ret = ssl_tls13_calc_finished_core(hash_alg, base_key, transcript, dst, actual_len); ret = ssl_tls13_calc_finished_core(hash_alg, base_key,
transcript, dst, actual_len);
if (ret != 0) { if (ret != 0) {
goto exit; goto exit;
} }
@ -873,18 +884,20 @@ int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
early_secret, hash_len); early_secret, hash_len);
if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
early_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder), early_secret, hash_len,
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder),
binder_key, hash_len); NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'")); MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'"));
} else { } else {
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, ret = mbedtls_ssl_tls13_derive_secret(
early_secret, hash_len, hash_alg,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder), early_secret, hash_len,
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder),
binder_key, hash_len); NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'")); MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'"));
} }
@ -913,11 +926,11 @@ exit:
return ret; return ret;
} }
int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform, int mbedtls_ssl_tls13_populate_transform(
int endpoint, mbedtls_ssl_transform *transform,
int ciphersuite, int endpoint, int ciphersuite,
mbedtls_ssl_key_set const *traffic_keys, mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */) mbedtls_ssl_context *ssl /* DEBUG ONLY */)
{ {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) #if !defined(MBEDTLS_USE_PSA_CRYPTO)
int ret; int ret;
@ -1044,7 +1057,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
&alg, &alg,
&key_type, &key_type,
&key_bits)) != PSA_SUCCESS) { &key_bits)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status)); MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status); return PSA_TO_MBEDTLS_ERR(status);
} }
@ -1059,7 +1073,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_enc, key_enc,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_enc)) != PSA_SUCCESS) { &transform->psa_key_enc)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); MBEDTLS_SSL_DEBUG_RET(
1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status); return PSA_TO_MBEDTLS_ERR(status);
} }
@ -1069,7 +1084,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_dec, key_dec,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_dec)) != PSA_SUCCESS) { &transform->psa_key_dec)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); MBEDTLS_SSL_DEBUG_RET(
1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status); return PSA_TO_MBEDTLS_ERR(status);
} }
} }
@ -1134,7 +1150,8 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
mbedtls_ssl_tls13_early_secrets tls13_early_secrets; mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
handshake->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
@ -1333,8 +1350,10 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
size_t iv_len; size_t iv_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets; handshake->ciphersuite_info;
mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
&handshake->tls13_hs_secrets;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys"));
@ -1360,9 +1379,9 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
return ret; return ret;
} }
ret = mbedtls_ssl_tls13_derive_handshake_secrets(hash_alg, ret = mbedtls_ssl_tls13_derive_handshake_secrets(
handshake->tls13_master_secrets.handshake, hash_alg, handshake->tls13_master_secrets.handshake,
transcript, transcript_len, tls13_hs_secrets); transcript, transcript_len, tls13_hs_secrets);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets", MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets",
ret); ret);
@ -1380,27 +1399,30 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
* Export client handshake traffic secret * Export client handshake traffic secret
*/ */
if (ssl->f_export_keys != NULL) { if (ssl->f_export_keys != NULL) {
ssl->f_export_keys(ssl->p_export_keys, ssl->f_export_keys(
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET, ssl->p_export_keys,
tls13_hs_secrets->client_handshake_traffic_secret, MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
hash_len, tls13_hs_secrets->client_handshake_traffic_secret,
handshake->randbytes, hash_len,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, handshake->randbytes,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */); handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
ssl->f_export_keys(ssl->p_export_keys, ssl->f_export_keys(
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET, ssl->p_export_keys,
tls13_hs_secrets->server_handshake_traffic_secret, MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
hash_len, tls13_hs_secrets->server_handshake_traffic_secret,
handshake->randbytes, hash_len,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, handshake->randbytes,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */); handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
} }
ret = mbedtls_ssl_tls13_make_traffic_keys(hash_alg, ret = mbedtls_ssl_tls13_make_traffic_keys(
tls13_hs_secrets->client_handshake_traffic_secret, hash_alg,
tls13_hs_secrets->server_handshake_traffic_secret, tls13_hs_secrets->client_handshake_traffic_secret,
hash_len, key_len, iv_len, traffic_keys); tls13_hs_secrets->server_handshake_traffic_secret,
hash_len, key_len, iv_len, traffic_keys);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
goto exit; goto exit;
@ -1510,10 +1532,10 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
/* /*
* Compute the Handshake Secret * Compute the Handshake Secret
*/ */
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, ret = mbedtls_ssl_tls13_evolve_secret(
handshake->tls13_master_secrets.early, hash_alg, handshake->tls13_master_secrets.early,
shared_secret, shared_secret_len, shared_secret, shared_secret_len,
handshake->tls13_master_secrets.handshake); handshake->tls13_master_secrets.handshake);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
goto cleanup; goto cleanup;
@ -1601,22 +1623,22 @@ static int ssl_tls13_generate_application_keys(
/* Compute application secrets from master secret and transcript hash. */ /* Compute application secrets from master secret and transcript hash. */
ret = mbedtls_ssl_tls13_derive_application_secrets(hash_alg, ret = mbedtls_ssl_tls13_derive_application_secrets(
handshake->tls13_master_secrets.app, hash_alg, handshake->tls13_master_secrets.app,
transcript, transcript_len, transcript, transcript_len, app_secrets);
app_secrets);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, MBEDTLS_SSL_DEBUG_RET(
"mbedtls_ssl_tls13_derive_application_secrets", ret); 1, "mbedtls_ssl_tls13_derive_application_secrets", ret);
goto cleanup; goto cleanup;
} }
/* Derive first epoch of IV + Key for application traffic. */ /* Derive first epoch of IV + Key for application traffic. */
ret = mbedtls_ssl_tls13_make_traffic_keys(hash_alg, ret = mbedtls_ssl_tls13_make_traffic_keys(
app_secrets->client_application_traffic_secret_N, hash_alg,
app_secrets->server_application_traffic_secret_N, app_secrets->client_application_traffic_secret_N,
hash_len, key_len, iv_len, traffic_keys); app_secrets->server_application_traffic_secret_N,
hash_len, key_len, iv_len, traffic_keys);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
goto cleanup; goto cleanup;
@ -1634,21 +1656,23 @@ static int ssl_tls13_generate_application_keys(
* Export client/server application traffic secret 0 * Export client/server application traffic secret 0
*/ */
if (ssl->f_export_keys != NULL) { if (ssl->f_export_keys != NULL) {
ssl->f_export_keys(ssl->p_export_keys, ssl->f_export_keys(
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET, ssl->p_export_keys,
app_secrets->client_application_traffic_secret_N, hash_len, MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
handshake->randbytes, app_secrets->client_application_traffic_secret_N, hash_len,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, handshake->randbytes,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
a new constant for TLS 1.3! */); MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
ssl->f_export_keys(ssl->p_export_keys, ssl->f_export_keys(
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET, ssl->p_export_keys,
app_secrets->server_application_traffic_secret_N, hash_len, MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
handshake->randbytes, app_secrets->server_application_traffic_secret_N, hash_len,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, handshake->randbytes,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
a new constant for TLS 1.3! */); MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
} }
MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:", MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:",
@ -1729,8 +1753,8 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len; size_t transcript_len;
MBEDTLS_SSL_DEBUG_MSG(2, MBEDTLS_SSL_DEBUG_MSG(
("=> mbedtls_ssl_tls13_compute_resumption_master_secret")); 2, ("=> mbedtls_ssl_tls13_compute_resumption_master_secret"));
md_type = handshake->ciphersuite_info->mac; md_type = handshake->ciphersuite_info->mac;
@ -1754,12 +1778,13 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
mbedtls_platform_zeroize(&handshake->tls13_master_secrets, mbedtls_platform_zeroize(&handshake->tls13_master_secrets,
sizeof(handshake->tls13_master_secrets)); sizeof(handshake->tls13_master_secrets));
MBEDTLS_SSL_DEBUG_BUF(4, "Resumption master secret", MBEDTLS_SSL_DEBUG_BUF(
ssl->session_negotiate->app_secrets.resumption_master_secret, 4, "Resumption master secret",
PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type))); ssl->session_negotiate->app_secrets.resumption_master_secret,
PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type)));
MBEDTLS_SSL_DEBUG_MSG(2, MBEDTLS_SSL_DEBUG_MSG(
("<= mbedtls_ssl_tls13_compute_resumption_master_secret")); 2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
return 0; return 0;
} }

103
library/ssl_tls13_server.c
View File

@ -317,11 +317,10 @@ static int ssl_tls13_offered_psks_check_identity_match(
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context *ssl, static int ssl_tls13_offered_psks_check_binder_match(
const unsigned char *binder, mbedtls_ssl_context *ssl,
size_t binder_len, const unsigned char *binder, size_t binder_len,
int psk_type, int psk_type, psa_algorithm_t psk_hash_alg)
psa_algorithm_t psk_hash_alg)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -490,11 +489,12 @@ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
* } PreSharedKeyExtension; * } PreSharedKeyExtension;
*/ */
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, static int ssl_tls13_parse_pre_shared_key_ext(
const unsigned char *pre_shared_key_ext, mbedtls_ssl_context *ssl,
const unsigned char *pre_shared_key_ext_end, const unsigned char *pre_shared_key_ext,
const unsigned char *ciphersuites, const unsigned char *pre_shared_key_ext_end,
const unsigned char *ciphersuites_end) const unsigned char *ciphersuites,
const unsigned char *ciphersuites_end)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *identities = pre_shared_key_ext; const unsigned char *identities = pre_shared_key_ext;
@ -621,8 +621,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
mbedtls_ssl_session_free(&session); mbedtls_ssl_session_free(&session);
#endif #endif
MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder.")); MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
MBEDTLS_SSL_DEBUG_RET(1, MBEDTLS_SSL_DEBUG_RET(
"ssl_tls13_offered_psks_check_binder_match", ret); 1, "ssl_tls13_offered_psks_check_binder_match", ret);
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
@ -656,9 +656,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
} }
/* Update the handshake transcript with the binder list. */ /* Update the handshake transcript with the binder list. */
ret = ssl->handshake->update_checksum(ssl, ret = ssl->handshake->update_checksum(
identities_end, ssl, identities_end, (size_t) (binders_end - identities_end));
(size_t) (binders_end - identities_end));
if (0 != ret) { if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
return ret; return ret;
@ -840,13 +839,14 @@ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
#if defined(PSA_WANT_ALG_ECDH) #if defined(PSA_WANT_ALG_ECDH)
/* /*
* ssl_tls13_parse_key_shares_ext() verifies whether the information in the * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
* extension is correct and stores the first acceptable key share and its associated group. * extension is correct and stores the first acceptable key share and its
* associated group.
* *
* Possible return values are: * Possible return values are:
* - 0: Successful processing of the client provided key share extension. * - 0: Successful processing of the client provided key share extension.
* - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
* does not match a group supported by the server. A HelloRetryRequest will * the client does not match a group supported by the server. A
* be needed. * HelloRetryRequest will be needed.
* - A negative value for fatal errors. * - A negative value for fatal errors.
*/ */
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
@ -1042,7 +1042,8 @@ static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
* 3 ) Plain PSK Mode ( psk ) * 3 ) Plain PSK Mode ( psk )
*/ */
ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) { if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
ssl->handshake->key_exchange_mode = ssl->handshake->key_exchange_mode =
@ -1552,8 +1553,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = ssl_tls13_parse_supported_groups_ext( ret = ssl_tls13_parse_supported_groups_ext(
ssl, p, extension_data_end); ssl, p, extension_data_end);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, MBEDTLS_SSL_DEBUG_RET(
"mbedtls_ssl_parse_supported_groups_ext", ret); 1, "ssl_tls13_parse_supported_groups_ext", ret);
return ret; return ret;
} }
@ -1593,7 +1594,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension")); MBEDTLS_SSL_DEBUG_MSG(
3, ("found psk key exchange modes extension"));
ret = ssl_tls13_parse_key_exchange_modes_ext( ret = ssl_tls13_parse_key_exchange_modes_ext(
ssl, p, extension_data_end); ssl, p, extension_data_end);
@ -1645,10 +1647,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = mbedtls_ssl_parse_sig_alg_ext( ret = mbedtls_ssl_parse_sig_alg_ext(
ssl, p, extension_data_end); ssl, p, extension_data_end);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, MBEDTLS_SSL_DEBUG_RET(
( 1, "mbedtls_ssl_parse_sig_alg_ext", ret);
"ssl_parse_supported_signature_algorithms_server_ext ( %d )",
ret));
return ret; return ret;
} }
break; break;
@ -1658,10 +1658,14 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, extension_data_end); ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, extension_data_end);
/* TODO: Return unconditionally here until we handle the record size limit correctly. /*
* Once handled correctly, only return in case of errors. */ * TODO: Return unconditionally here until we handle the record
* size limit correctly.
* Once handled correctly, only return in case of errors.
*/
return ret; return ret;
break; break;
@ -2239,9 +2243,8 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl)); MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_SERVER_HELLO, &buf, ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
&buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf, MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
buf + buf_len, buf + buf_len,
@ -2413,15 +2416,16 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
&buf_len)); &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body( MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
ssl, buf, buf + buf_len, &msg_len)); ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len)); ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len)); ssl, buf_len, msg_len));
@ -2546,15 +2550,16 @@ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
unsigned char *buf; unsigned char *buf;
size_t buf_len, msg_len; size_t buf_len, msg_len;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len)); &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body( MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
ssl, buf, buf + buf_len, &msg_len)); ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len)); ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len)); ssl, buf_len, msg_len));
@ -2665,8 +2670,8 @@ static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl); ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, MBEDTLS_SSL_DEBUG_RET(
"mbedtls_ssl_tls13_compute_resumption_master_secret", ret); 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
} }
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
@ -2691,7 +2696,8 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
*/ */
/* Sent NewSessionTicket message only when client supports PSK */ /* Sent NewSessionTicket message only when client supports PSK */
if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
} else } else
#endif #endif
{ {
@ -2954,9 +2960,9 @@ static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket( MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
ssl, ticket_nonce, sizeof(ticket_nonce))); ssl, ticket_nonce, sizeof(ticket_nonce)));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
&buf, &buf_len)); &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body( MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
ssl, buf, buf + buf_len, &msg_len, ssl, buf, buf + buf_len, &msg_len,
@ -3124,7 +3130,8 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
if (ssl->handshake->new_session_tickets_count == 0) { if (ssl->handshake->new_session_tickets_count == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
} else { } else {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
} }
break; break;