From 4e9b70e03a616530c9b0ef739d46c358e7785055 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 4 Dec 2022 14:08:02 +0800 Subject: [PATCH 01/20] Add early transform computation when accepted Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d983a00395..e8967e6c28 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1880,6 +1880,16 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) /* There is enough information, update early data state. */ ssl_tls13_update_early_data_status(ssl); + + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + ret = mbedtls_ssl_tls13_compute_early_transform(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_compute_early_transform", ret); + return ret; + } + } + #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; From 7d8c3fe12c9db11e31aa8ee305f454ae018402d1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 12 Dec 2022 12:59:44 +0800 Subject: [PATCH 02/20] Add wait flight2 state. The state is come from RFC8446 section A.2 Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 +- library/ssl_tls13_server.c | 45 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3c2696fe40..2bca21a2f2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -687,12 +687,12 @@ typedef enum { MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP, - MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, MBEDTLS_SSL_END_OF_EARLY_DATA, + MBEDTLS_SSL_WAIT_FLIGHT2, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index e8967e6c28..40d51d8068 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2782,6 +2782,30 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_WAIT_FLIGHT2); + + return 0; +} + +/* + * Handler for MBEDTLS_SSL_WAIT_FLIGHT2 + * + * RFC 8446 section A.2 + * + * WAIT_FLIGHT2 + * | + * +--------+--------+ + * No auth | | Client auth + * | | + * | v + * | WAIT_CERT + * | Recv | | Recv Certificate + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) +{ + MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_flight2")); + if (ssl->handshake->certificate_request_sent) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else { @@ -2790,6 +2814,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); } + MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_flight2")); return 0; } @@ -3213,10 +3238,30 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + /* RFC 8446 section A.2 + * + * | Send Finished ( SERVER_FINISHED ) + * | K_send = application + * +--------+--------+ + * No 0-RTT | | 0-RTT + * | | + * K_recv = handshake | | K_recv = early data + * [Skip decrypt errors] | +------> WAIT_EOED -+ + * | | Recv | | Recv EndOfEarlyData + * | | early data | | K_recv = handshake + * | +------------+ | + * | | + * +> WAIT_FLIGHT2 <--------+ + * | + */ case MBEDTLS_SSL_SERVER_FINISHED: ret = ssl_tls13_write_server_finished(ssl); break; + case MBEDTLS_SSL_WAIT_FLIGHT2: + ret = ssl_tls13_process_wait_flight2(ssl); + break; + case MBEDTLS_SSL_CLIENT_FINISHED: ret = ssl_tls13_process_client_finished(ssl); break; From 87b5ed4e5b40bd7cc41506fa5850b28f2ac63bd9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 12 Dec 2022 13:07:07 +0800 Subject: [PATCH 03/20] Add server side end-of-early-data handler Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 126 +++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 40d51d8068..e69b091f30 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2779,6 +2779,34 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) return ret; } +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + /* TODO: compute early transform here? + * + * RFC 8446, section A.2 + * | Send Finished + * | K_send = application + * +--------+--------+ + * No 0-RTT | | 0-RTT + * | | + * | | K_recv = early data + * | +------> WAIT_EOED -+ + * + * early transform is set after server finished in this section. But + * it breaks our key computation, so we put early transform computation + * at the end of client hello. For time being, I am not sure the benifit + * for moving computation here. + */ + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to early keys for inbound traffic. " + "( K_recv = early data )")); + mbedtls_ssl_set_inbound_transform( + ssl, ssl->handshake->transform_earlydata); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); + return 0; + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); @@ -2818,6 +2846,98 @@ static int ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) return 0; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +/* + * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA( WAIT_EOED ) + * + * RFC 8446 section A.2 + * + * | + * +------> WAIT_EOED -+ + * | Recv | | Recv EndOfEarlyData + * | early data | | K_recv = handshake + * +------------+ | + * | + * WAIT_FLIGHT2 <--------+ + * | + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_process_wait_eoed(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_eoed")); + + if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + return ret; + } + + /* RFC 8446 section 4.5 + * + * struct {} EndOfEarlyData; + */ + if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to handshake keys for inbound traffic" + "( K_recv = handshake )")); + mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_WAIT_FLIGHT2); + + ret = mbedtls_ssl_add_hs_hdr_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET( + 1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret); + } + + goto cleanup; + + } + + /* RFC 8446 section 2.3 figure 4 + * + * 0-RTT data is sent via application data message. + */ + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) { + MBEDTLS_SSL_DEBUG_MSG( + 2, ("Unexpected message type %d", ssl->in_msgtype)); + goto cleanup; + } + + /* + * Output early data + * + * For time being, we print received data via debug message. + * + * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready. + */ + ssl->in_msg[ssl->in_msglen] = 0; + MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg)); + + /* RFC 8446 section 4.6.1 + * + * A server receiving more than max_early_data_size bytes of 0-RTT data + * SHOULD terminate the connection with an "unexpected_message" alert. + * + * TODO: Add received data size check here. + */ + + ret = 0; + +cleanup: + if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, + MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); + } + MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_eoed")); + return ret; +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /* * Handler for MBEDTLS_SSL_CLIENT_FINISHED */ @@ -3262,6 +3382,12 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) ret = ssl_tls13_process_wait_flight2(ssl); break; +#if defined(MBEDTLS_SSL_EARLY_DATA) + case MBEDTLS_SSL_END_OF_EARLY_DATA: + ret = ssl_tls13_process_wait_eoed(ssl); + break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + case MBEDTLS_SSL_CLIENT_FINISHED: ret = ssl_tls13_process_client_finished(ssl); break; From 0e9eafff13f08e0cdff8e2db0ca08f8eb331a278 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 15:38:19 +0800 Subject: [PATCH 04/20] Update tests to the code status Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-misc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 9208384498..6fc0c607f3 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -511,12 +511,12 @@ requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3 G->m: EarlyData: feature is enabled, fail." \ +run_test "TLS 1.3 G->m: EarlyData: feature is enabled, good." \ "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=$EARLY_DATA_INPUT_LEN" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:+KX-ALL \ -d 10 -r --earlydata $EARLY_DATA_INPUT " \ - 1 \ + 0 \ -s "ClientHello: early_data(42) extension exists." \ -s "EncryptedExtensions: early_data(42) extension exists." \ -s "NewSessionTicket: early_data(42) extension does not exist." \ - -s "Last error was: -29056 - SSL - Verification of the message MAC failed" + -s "$( tail -1 $EARLY_DATA_INPUT )" From d33f7a8c722a9ca4c1338230d51ed5213a29c8bb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 29 Nov 2023 15:09:21 +0800 Subject: [PATCH 05/20] improve document Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index e69b091f30..db6140eb0a 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2794,8 +2794,8 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) * * early transform is set after server finished in this section. But * it breaks our key computation, so we put early transform computation - * at the end of client hello. For time being, I am not sure the benifit - * for moving computation here. + * at the end of client hello. For the time being, I am not sure the + * benifit for moving computation here. */ MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early keys for inbound traffic. " @@ -2911,7 +2911,7 @@ static int ssl_tls13_process_wait_eoed(mbedtls_ssl_context *ssl) /* * Output early data * - * For time being, we print received data via debug message. + * For the time being, we print received data via debug message. * * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready. */ From e32fac3d23fe25c242f424be1ef25ff378a3b64f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:25:16 +0800 Subject: [PATCH 06/20] remove wait_flight2 state Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 1 - library/ssl_tls13_server.c | 35 ----------------------------------- 2 files changed, 36 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2bca21a2f2..043988f255 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -692,7 +692,6 @@ typedef enum { MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, MBEDTLS_SSL_END_OF_EARLY_DATA, - MBEDTLS_SSL_WAIT_FLIGHT2, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index db6140eb0a..c7dbb53888 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2815,37 +2815,6 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) return 0; } -/* - * Handler for MBEDTLS_SSL_WAIT_FLIGHT2 - * - * RFC 8446 section A.2 - * - * WAIT_FLIGHT2 - * | - * +--------+--------+ - * No auth | | Client auth - * | | - * | v - * | WAIT_CERT - * | Recv | | Recv Certificate - */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) -{ - MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_flight2")); - - if (ssl->handshake->certificate_request_sent) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); - } else { - MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); - MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); - } - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_flight2")); - return 0; -} - #if defined(MBEDTLS_SSL_EARLY_DATA) /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA( WAIT_EOED ) @@ -3378,10 +3347,6 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) ret = ssl_tls13_write_server_finished(ssl); break; - case MBEDTLS_SSL_WAIT_FLIGHT2: - ret = ssl_tls13_process_wait_flight2(ssl); - break; - #if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_SSL_END_OF_EARLY_DATA: ret = ssl_tls13_process_wait_eoed(ssl); From 9b72e3970150416e2f8dc9d60526693fabdb6539 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:27:08 +0800 Subject: [PATCH 07/20] re-introduce process_wait_flight2 Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 56 +++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index c7dbb53888..1f834420a4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2758,6 +2758,60 @@ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ + +/* + * RFC 8446 section A.2 + * + * | Send ServerHello + * | K_send = handshake + * | Send EncryptedExtensions + * | [Send CertificateRequest] + * Can send | [Send Certificate + CertificateVerify] + * app data | Send Finished + * after --> | K_send = application + * here +--------+--------+ + * No 0-RTT | | 0-RTT + * | | + * K_recv = handshake | | K_recv = early data + * [Skip decrypt errors] | +------> WAIT_EOED -+ + * | | Recv | | Recv EndOfEarlyData + * | | early data | | K_recv = handshake + * | +------------+ | + * | | + * +> WAIT_FLIGHT2 <--------+ + * | + * +--------+--------+ + * No auth | | Client auth + * | | + * | v + * | WAIT_CERT + * | Recv | | Recv Certificate + * | empty | v + * | Certificate | WAIT_CV + * | | | Recv + * | v | CertificateVerify + * +-> WAIT_FINISHED <---+ + * | Recv Finished + * + * + * The following function handles the state changes after WAIT_FLIGHT2 in the + * above diagram. + */ +static void ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) +{ + MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_flight2")); + + if (ssl->handshake->certificate_request_sent) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); + } else { + MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); + MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); + } + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_flight2")); +} + /* * Handler for MBEDTLS_SSL_SERVER_FINISHED */ @@ -2810,7 +2864,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_WAIT_FLIGHT2); + ssl_tls13_process_wait_flight2(ssl); return 0; } From 59d420f17b6bf8f39c74ce020152c024b74de8fc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:30:34 +0800 Subject: [PATCH 08/20] empty process_end_of_early_data Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 87 ++------------------------------------ 1 file changed, 4 insertions(+), 83 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 1f834420a4..7b1849cb9e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2871,92 +2871,13 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) /* - * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA( WAIT_EOED ) - * - * RFC 8446 section A.2 - * - * | - * +------> WAIT_EOED -+ - * | Recv | | Recv EndOfEarlyData - * | early data | | K_recv = handshake - * +------------+ | - * | - * WAIT_FLIGHT2 <--------+ - * | + * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_process_wait_eoed(mbedtls_ssl_context *ssl) +static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_ssl_handshake_params *handshake = ssl->handshake; - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_eoed")); - - if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return ret; - } - - /* RFC 8446 section 4.5 - * - * struct {} EndOfEarlyData; - */ - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && - ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Switch to handshake keys for inbound traffic" - "( K_recv = handshake )")); - mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_WAIT_FLIGHT2); - - ret = mbedtls_ssl_add_hs_hdr_to_checksum( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); - if (0 != ret) { - MBEDTLS_SSL_DEBUG_RET( - 1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret); - } - - goto cleanup; - - } - - /* RFC 8446 section 2.3 figure 4 - * - * 0-RTT data is sent via application data message. - */ - ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) { - MBEDTLS_SSL_DEBUG_MSG( - 2, ("Unexpected message type %d", ssl->in_msgtype)); - goto cleanup; - } - - /* - * Output early data - * - * For the time being, we print received data via debug message. - * - * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready. - */ - ssl->in_msg[ssl->in_msglen] = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg)); - - /* RFC 8446 section 4.6.1 - * - * A server receiving more than max_early_data_size bytes of 0-RTT data - * SHOULD terminate the connection with an "unexpected_message" alert. - * - * TODO: Add received data size check here. - */ - - ret = 0; - -cleanup: - if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, - MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_eoed")); + ((void) ssl); return ret; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -3403,7 +3324,7 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_SSL_END_OF_EARLY_DATA: - ret = ssl_tls13_process_wait_eoed(ssl); + ret = ssl_tls13_process_end_of_early_data(ssl); break; #endif /* MBEDTLS_SSL_EARLY_DATA */ From d5c3496ce24986b33d471a6fee18318ed6b848ee Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:32:31 +0800 Subject: [PATCH 09/20] Add dummy framework of eoed state Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 107 ++++++++++++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 7b1849cb9e..4b0acf0048 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2873,11 +2873,116 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA */ +#define SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA 0 +#define SSL_END_OF_EARLY_GOT_APPLICATION_DATA 1 +/* Coordination: + * Deals with the ambiguity of not knowing if a EndOfEarlyData will be sent. + * Returns a negative code on failure, or + * - SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA + * - SSL_END_OF_EARLY_GOT_APPLICATION_DATA + * indicating which message is received. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + ((void) ssl); + return ret; +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + ((void) ssl); + ((void) buf); + ((void) end); + return ret; +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + ((void) ssl); + return ret; +} + +/* + * RFC 8446 section A.2 + * + * | Send ServerHello + * | K_send = handshake + * | Send EncryptedExtensions + * | [Send CertificateRequest] + * Can send | [Send Certificate + CertificateVerify] + * app data | Send Finished + * after --> | K_send = application + * here +--------+--------+ + * No 0-RTT | | 0-RTT + * | | + * K_recv = handshake | | K_recv = early data + * [Skip decrypt errors] | +------> WAIT_EOED -+ + * | | Recv | | Recv EndOfEarlyData + * | | early data | | K_recv = handshake + * | +------------+ | + * | | + * +> WAIT_FLIGHT2 <--------+ + * | + * +--------+--------+ + * No auth | | Client auth + * | | + * | v + * | WAIT_CERT + * | Recv | | Recv Certificate + * | empty | v + * | Certificate | WAIT_CV + * | | | Recv + * | v | CertificateVerify + * +-> WAIT_FINISHED <---+ + * | Recv Finished + * + * The function handles actions and state changes from 0-RTT to WAIT_FLIGHT2 in + * the above diagram. + */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ((void) ssl); + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_end_of_early_data")); + + MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl)); + + if (ret == SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA) { + unsigned char *buf; + size_t buf_len; + + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, + &buf, &buf_len)); + + MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( + ssl, buf, buf + buf_len)); + + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, + buf, buf_len)); + ssl_tls13_process_wait_flight2(ssl); + + } else if (ret == SSL_END_OF_EARLY_GOT_APPLICATION_DATA) { + MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl)); + } else { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto cleanup; + } + + +cleanup: + MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data")); return ret; } #endif /* MBEDTLS_SSL_EARLY_DATA */ From b4ed4602f241392a48bf1293024749b568639644 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:34:00 +0800 Subject: [PATCH 10/20] implement coordinate of eoed Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4b0acf0048..83d08c5543 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2886,8 +2886,27 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ((void) ssl); - return ret; + + if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + return ret; + } + ssl->keep_current_message = 1; + + if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { + MBEDTLS_SSL_DEBUG_MSG(3, ("got end_of_early_data message.")); + return SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA; + } + + if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { + MBEDTLS_SSL_DEBUG_MSG(3, ("got application_data message")); + return SSL_END_OF_EARLY_GOT_APPLICATION_DATA; + } + + MBEDTLS_SSL_DEBUG_MSG(1, ("got unexpected message.")); + + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } MBEDTLS_CHECK_RETURN_CRITICAL From 75c9ab76b59c1736720e061f721aca9bbae2801e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:41:40 +0800 Subject: [PATCH 11/20] implement parser of eoed Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 83d08c5543..5e3508cdac 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2914,11 +2914,12 @@ static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* RFC 8446 section 4.5 + * + * struct {} EndOfEarlyData; + */ ((void) ssl); - ((void) buf); - ((void) end); - return ret; + return buf == end ? 0 : MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } MBEDTLS_CHECK_RETURN_CRITICAL From e96551276abf01c8739dbe2b928f79c81d502acc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:44:40 +0800 Subject: [PATCH 12/20] switch inbound transform to handshake Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 5e3508cdac..b350c7ef87 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2987,9 +2987,16 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( ssl, buf, buf + buf_len)); + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to handshake keys for inbound traffic" + "( K_recv = handshake )")); + mbedtls_ssl_set_inbound_transform( + ssl, ssl->handshake->transform_handshake); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, buf, buf_len)); + ssl_tls13_process_wait_flight2(ssl); } else if (ret == SSL_END_OF_EARLY_GOT_APPLICATION_DATA) { From ee4d72955595b9e4afbe93093deba5c47be702e1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 16:46:14 +0800 Subject: [PATCH 13/20] print received early application data Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index b350c7ef87..6245bb8632 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2926,8 +2926,38 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ((void) ssl); - return ret; + + if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + return ret; + } + + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) { + MBEDTLS_SSL_DEBUG_MSG( + 2, ("Unexpected message type %d", ssl->in_msgtype)); + return ret; + } + + /* + * Output early data + * + * For the time being, we print received data via debug message. + * + * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready. + */ + ssl->in_msg[ssl->in_msglen] = 0; + MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg)); + + /* RFC 8446 section 4.6.1 + * + * A server receiving more than max_early_data_size bytes of 0-RTT data + * SHOULD terminate the connection with an "unexpected_message" alert. + * + * TODO: Add received data size check here. + */ + + return 0; } /* From 0af63dc263da296b96baff8e5cda883b3747a9f2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Dec 2023 17:14:51 +0800 Subject: [PATCH 14/20] improve comments and output message Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6245bb8632..7d5362caf6 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2835,22 +2835,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { - /* TODO: compute early transform here? - * - * RFC 8446, section A.2 - * | Send Finished - * | K_send = application - * +--------+--------+ - * No 0-RTT | | 0-RTT - * | | - * | | K_recv = early data - * | +------> WAIT_EOED -+ - * - * early transform is set after server finished in this section. But - * it breaks our key computation, so we put early transform computation - * at the end of client hello. For the time being, I am not sure the - * benifit for moving computation here. - */ + /* See RFC 8446 section A.2 for more information */ MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early keys for inbound traffic. " "( K_recv = early data )")); @@ -2860,8 +2845,9 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) return 0; } #endif /* MBEDTLS_SSL_EARLY_DATA */ - - MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to handshake keys for inbound traffic " + "( K_recv = handshake )")); mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); ssl_tls13_process_wait_flight2(ssl); From 3be850782c8d89edffae4ca813a6203ba514d15b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 4 Dec 2023 09:58:54 +0800 Subject: [PATCH 15/20] fix various issues - improve comments - rename function and macros name - remove unnecessary comments - remove extra empty lines - remove unnecessary condition Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 61 +++++++++++++------------------------- 1 file changed, 21 insertions(+), 40 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 7d5362caf6..2e51572a62 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2758,7 +2758,6 @@ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ - /* * RFC 8446 section A.2 * @@ -2795,11 +2794,15 @@ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) * * * The following function handles the state changes after WAIT_FLIGHT2 in the - * above diagram. + * above diagram. We are not going to receive early data related messages + * anymore, prepare to receive the first handshake message of the client + * second flight. */ -static void ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) +static void ssl_tls13_prepare_for_handshake_second_flight( + mbedtls_ssl_context *ssl) { - MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_wait_flight2")); + MBEDTLS_SSL_DEBUG_MSG( + 2, ("=> ssl_tls13_prepare_for_handshake_second_flight")); if (ssl->handshake->certificate_request_sent) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); @@ -2809,7 +2812,8 @@ static void ssl_tls13_process_wait_flight2(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_wait_flight2")); + MBEDTLS_SSL_DEBUG_MSG( + 2, ("<= ssl_tls13_prepare_for_handshake_second_flight")); } /* @@ -2850,7 +2854,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) "( K_recv = handshake )")); mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); - ssl_tls13_process_wait_flight2(ssl); + ssl_tls13_prepare_for_handshake_second_flight(ssl); return 0; } @@ -2859,13 +2863,14 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA */ -#define SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA 0 -#define SSL_END_OF_EARLY_GOT_APPLICATION_DATA 1 +#define SSL_GOT_END_OF_EARLY_DATA 0 +#define SSL_GOT_APPLICATION_DATA 1 /* Coordination: - * Deals with the ambiguity of not knowing if a EndOfEarlyData will be sent. + * Deals with the ambiguity of not knowing if the next message is an + * EndOfEarlyData message or an application message containing early data. * Returns a negative code on failure, or - * - SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA - * - SSL_END_OF_EARLY_GOT_APPLICATION_DATA + * - SSL_GOT_END_OF_EARLY_DATA + * - SSL_GOT_APPLICATION_DATA * indicating which message is received. */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -2882,12 +2887,12 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { MBEDTLS_SSL_DEBUG_MSG(3, ("got end_of_early_data message.")); - return SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA; + return SSL_GOT_END_OF_EARLY_DATA; } if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { MBEDTLS_SSL_DEBUG_MSG(3, ("got application_data message")); - return SSL_END_OF_EARLY_GOT_APPLICATION_DATA; + return SSL_GOT_APPLICATION_DATA; } MBEDTLS_SSL_DEBUG_MSG(1, ("got unexpected message.")); @@ -2918,13 +2923,6 @@ static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl) return ret; } - ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) { - MBEDTLS_SSL_DEBUG_MSG( - 2, ("Unexpected message type %d", ssl->in_msgtype)); - return ret; - } - /* * Output early data * @@ -2992,7 +2990,7 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl)); - if (ret == SSL_END_OF_EARLY_GOT_END_OF_EARLY_DATA) { + if (ret == SSL_GOT_END_OF_EARLY_DATA) { unsigned char *buf; size_t buf_len; @@ -3013,9 +3011,9 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, buf, buf_len)); - ssl_tls13_process_wait_flight2(ssl); + ssl_tls13_prepare_for_handshake_second_flight(ssl); - } else if (ret == SSL_END_OF_EARLY_GOT_APPLICATION_DATA) { + } else if (ret == SSL_GOT_APPLICATION_DATA) { MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl)); } else { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); @@ -3023,7 +3021,6 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) goto cleanup; } - cleanup: MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data")); return ret; @@ -3450,22 +3447,6 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ - /* RFC 8446 section A.2 - * - * | Send Finished ( SERVER_FINISHED ) - * | K_send = application - * +--------+--------+ - * No 0-RTT | | 0-RTT - * | | - * K_recv = handshake | | K_recv = early data - * [Skip decrypt errors] | +------> WAIT_EOED -+ - * | | Recv | | Recv EndOfEarlyData - * | | early data | | K_recv = handshake - * | +------------+ | - * | | - * +> WAIT_FLIGHT2 <--------+ - * | - */ case MBEDTLS_SSL_SERVER_FINISHED: ret = ssl_tls13_write_server_finished(ssl); break; From fbf039932ad0a824b3b222b659c4ec76bd35bc2e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 4 Dec 2023 10:00:37 +0800 Subject: [PATCH 16/20] Send decode error alert when EOED parsing fail Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2e51572a62..65688cffc8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2910,7 +2910,12 @@ static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, * struct {} EndOfEarlyData; */ ((void) ssl); - return buf == end ? 0 : MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + if (buf != end) { + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; + } + return 0; } MBEDTLS_CHECK_RETURN_CRITICAL From 7bb40a36503f5a649141d3a69b1371c63e804e4b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 4 Dec 2023 10:04:15 +0800 Subject: [PATCH 17/20] send unexpected alert when not received eoed or app during reading early data Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 65688cffc8..1c359a2685 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2897,6 +2897,8 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(1, ("got unexpected message.")); + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, + MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } From b55f9eb5c5eadf802a02541fbac659564113ad67 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 5 Dec 2023 10:27:17 +0800 Subject: [PATCH 18/20] fix various issues - remove unnecessary statements - improve macro name - improve output message Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 1c359a2685..fcf57f06df 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1889,11 +1889,9 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) return ret; } } - #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; - } /* @@ -2801,19 +2799,12 @@ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) static void ssl_tls13_prepare_for_handshake_second_flight( mbedtls_ssl_context *ssl) { - MBEDTLS_SSL_DEBUG_MSG( - 2, ("=> ssl_tls13_prepare_for_handshake_second_flight")); - if (ssl->handshake->certificate_request_sent) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else { - MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); - MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); + MBEDTLS_SSL_DEBUG_MSG(2, ("Skip certificate and certificate verify parsing")); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); } - - MBEDTLS_SSL_DEBUG_MSG( - 2, ("<= ssl_tls13_prepare_for_handshake_second_flight")); } /* @@ -2864,13 +2855,13 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA */ #define SSL_GOT_END_OF_EARLY_DATA 0 -#define SSL_GOT_APPLICATION_DATA 1 +#define SSL_GOT_EARLY_DATA 1 /* Coordination: * Deals with the ambiguity of not knowing if the next message is an * EndOfEarlyData message or an application message containing early data. * Returns a negative code on failure, or * - SSL_GOT_END_OF_EARLY_DATA - * - SSL_GOT_APPLICATION_DATA + * - SSL_GOT_EARLY_DATA * indicating which message is received. */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -2886,17 +2877,15 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { - MBEDTLS_SSL_DEBUG_MSG(3, ("got end_of_early_data message.")); + MBEDTLS_SSL_DEBUG_MSG(3, ("Received an end_of_early_data message.")); return SSL_GOT_END_OF_EARLY_DATA; } if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { - MBEDTLS_SSL_DEBUG_MSG(3, ("got application_data message")); - return SSL_GOT_APPLICATION_DATA; + MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data")); + return SSL_GOT_EARLY_DATA; } - MBEDTLS_SSL_DEBUG_MSG(1, ("got unexpected message.")); - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; @@ -2911,7 +2900,6 @@ static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, * * struct {} EndOfEarlyData; */ - ((void) ssl); if (buf != end) { MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, MBEDTLS_ERR_SSL_DECODE_ERROR); @@ -3020,7 +3008,7 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) ssl_tls13_prepare_for_handshake_second_flight(ssl); - } else if (ret == SSL_GOT_APPLICATION_DATA) { + } else if (ret == SSL_GOT_EARLY_DATA) { MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl)); } else { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); From ebb1b1d48f810558d63149ec4ca8c3e30a1fb1c1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 5 Dec 2023 11:02:15 +0800 Subject: [PATCH 19/20] fix ci test failure "skip parse certificate verify" can not be changed. It is used in `Authentication: client badcert, server none` test. Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index fcf57f06df..32893acac8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2802,7 +2802,10 @@ static void ssl_tls13_prepare_for_handshake_second_flight( if (ssl->handshake->certificate_request_sent) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else { - MBEDTLS_SSL_DEBUG_MSG(2, ("Skip certificate and certificate verify parsing")); + MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); + MBEDTLS_SSL_DEBUG_MSG( + 2, ("Skip certificate and certificate verify parsing")); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); } } From 42020fb1862375ac4fa921cabe2cf8d987319444 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 5 Dec 2023 17:35:53 +0800 Subject: [PATCH 20/20] revert output message which used by testing Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 32893acac8..bfe805f496 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2802,9 +2802,8 @@ static void ssl_tls13_prepare_for_handshake_second_flight( if (ssl->handshake->certificate_request_sent) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else { + MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); - MBEDTLS_SSL_DEBUG_MSG( - 2, ("Skip certificate and certificate verify parsing")); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); }