mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-05 07:20:40 +00:00
tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard code specific to one of the TLS 1.3 key exchange mode with PSK. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
parent
928cbd34e7
commit
41a443a68d
@ -637,8 +637,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
|
||||||
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
|
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
|
||||||
* MUST be the last extension in the ClientHello.
|
* MUST be the last extension in the ClientHello.
|
||||||
*/
|
*/
|
||||||
@ -650,7 +649,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
|||||||
return( ret );
|
return( ret );
|
||||||
p += output_len;
|
p += output_len;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
/* Write the length of the list of extensions. */
|
/* Write the length of the list of extensions. */
|
||||||
extensions_len = p - p_extensions_len - 2;
|
extensions_len = p - p_extensions_len - 2;
|
||||||
@ -957,8 +956,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
|
mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||||
msg_len );
|
msg_len );
|
||||||
ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len );
|
ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len );
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
|
||||||
if( binders_len > 0 )
|
if( binders_len > 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_PROC_CHK(
|
MBEDTLS_SSL_PROC_CHK(
|
||||||
@ -967,7 +965,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len,
|
ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len,
|
||||||
binders_len );
|
binders_len );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl,
|
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl,
|
||||||
buf_len,
|
buf_len,
|
||||||
|
|||||||
@ -619,7 +619,7 @@ struct mbedtls_ssl_handshake_params
|
|||||||
#if defined(MBEDTLS_SSL_SRV_C)
|
#if defined(MBEDTLS_SSL_SRV_C)
|
||||||
/** selected_group of key_share extension in HelloRetryRequest message. */
|
/** selected_group of key_share extension in HelloRetryRequest message. */
|
||||||
uint16_t hrr_selected_group;
|
uint16_t hrr_selected_group;
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
|
uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
@ -1786,7 +1786,8 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *
|
|||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_SRV_C) && \
|
||||||
|
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/**
|
/**
|
||||||
* Given a list of key exchange modes, check if at least one of them is
|
* Given a list of key exchange modes, check if at least one of them is
|
||||||
* supported.
|
* supported.
|
||||||
@ -1833,7 +1834,8 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
|
|||||||
return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
|
return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_SRV_C &&
|
||||||
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Helper functions to check the selected key exchange mode.
|
* Helper functions to check the selected key exchange mode.
|
||||||
@ -2451,7 +2453,7 @@ int mbedtls_ssl_check_dtls_clihlo_cookie(
|
|||||||
unsigned char *obuf, size_t buf_len, size_t *olen );
|
unsigned char *obuf, size_t buf_len, size_t *olen );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/**
|
/**
|
||||||
* \brief Given an SSL context and its associated configuration, write the TLS
|
* \brief Given an SSL context and its associated configuration, write the TLS
|
||||||
* 1.3 specific Pre-Shared key extension.
|
* 1.3 specific Pre-Shared key extension.
|
||||||
@ -2484,7 +2486,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
|||||||
int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
|
int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
|
||||||
mbedtls_ssl_context *ssl,
|
mbedtls_ssl_context *ssl,
|
||||||
unsigned char *buf, unsigned char *end );
|
unsigned char *buf, unsigned char *end );
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||||
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
||||||
|
|||||||
@ -3665,7 +3665,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
|||||||
mbedtls_free( handshake->psk );
|
mbedtls_free( handshake->psk );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
#endif
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||||
@ -4895,7 +4895,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
|
|||||||
conf->psk_identity = NULL;
|
conf->psk_identity = NULL;
|
||||||
conf->psk_identity_len = 0;
|
conf->psk_identity_len = 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
ssl_key_cert_free( conf->key_cert );
|
ssl_key_cert_free( conf->key_cert );
|
||||||
|
|||||||
@ -602,7 +602,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/*
|
/*
|
||||||
* ssl_tls13_write_psk_key_exchange_modes_ext() structure:
|
* ssl_tls13_write_psk_key_exchange_modes_ext() structure:
|
||||||
*
|
*
|
||||||
@ -1112,8 +1112,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
|
||||||
|
|
||||||
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
||||||
unsigned char *buf,
|
unsigned char *buf,
|
||||||
@ -1151,7 +1150,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
|||||||
p += ext_len;
|
p += ext_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/* For PSK-based key exchange we need the pre_shared_key extension
|
/* For PSK-based key exchange we need the pre_shared_key extension
|
||||||
* and the psk_key_exchange_modes extension.
|
* and the psk_key_exchange_modes extension.
|
||||||
*
|
*
|
||||||
@ -1165,7 +1164,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
|||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
p += ext_len;
|
p += ext_len;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
*out_len = p - buf;
|
*out_len = p - buf;
|
||||||
|
|
||||||
@ -1681,7 +1680,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
||||||
if( is_hrr )
|
if( is_hrr )
|
||||||
@ -1698,7 +1697,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
case MBEDTLS_TLS_EXT_KEY_SHARE:
|
case MBEDTLS_TLS_EXT_KEY_SHARE:
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
|
||||||
|
|||||||
@ -1067,7 +1067,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac );
|
hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac );
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||||
{
|
{
|
||||||
ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
|
ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
|
||||||
@ -1083,7 +1083,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
|
|||||||
ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, psk, psk_len,
|
ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, psk, psk_len,
|
||||||
handshake->tls13_master_secrets.early );
|
handshake->tls13_master_secrets.early );
|
||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
mbedtls_free( (void*)psk );
|
mbedtls_free( (void*)psk );
|
||||||
#endif
|
#endif
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
@ -1614,7 +1614,7 @@ cleanup:
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||||
unsigned char **psk,
|
unsigned char **psk,
|
||||||
size_t *psk_len )
|
size_t *psk_len )
|
||||||
@ -1655,7 +1655,7 @@ int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||||
|
|
||||||
|
|||||||
@ -691,7 +691,7 @@ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
|
|||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
|
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/**
|
/**
|
||||||
* \brief Export TLS 1.3 PSK from handshake context
|
* \brief Export TLS 1.3 PSK from handshake context
|
||||||
*
|
*
|
||||||
@ -707,7 +707,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
|||||||
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||||
unsigned char **psk,
|
unsigned char **psk,
|
||||||
size_t *psk_len );
|
size_t *psk_len );
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||||
|
|
||||||
|
|||||||
@ -59,7 +59,7 @@ static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
|
|||||||
return( ciphersuite_info );
|
return( ciphersuite_info );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/* From RFC 8446:
|
/* From RFC 8446:
|
||||||
*
|
*
|
||||||
* enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
|
* enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
|
||||||
@ -701,7 +701,7 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
/* From RFC 8446:
|
/* From RFC 8446:
|
||||||
* struct {
|
* struct {
|
||||||
@ -993,7 +993,7 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
|
|||||||
MBEDTLS_SSL_EXT_SIG_ALG ) );
|
MBEDTLS_SSL_EXT_SIG_ALG ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
|
static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
|
||||||
mbedtls_ssl_context *ssl )
|
mbedtls_ssl_context *ssl )
|
||||||
@ -1015,7 +1015,7 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
|
|||||||
MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
|
MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
|
||||||
MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
|
MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
@ -1027,7 +1027,7 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
|||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
|
static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
|
return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
|
||||||
mbedtls_ssl_tls13_psk_enabled( ssl ) &&
|
mbedtls_ssl_tls13_psk_enabled( ssl ) &&
|
||||||
ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
|
ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
|
||||||
@ -1040,7 +1040,7 @@ static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
|
|||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
|
return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
|
||||||
mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
|
mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
|
||||||
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
|
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
|
||||||
@ -1289,11 +1289,11 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
const unsigned char *extensions_end;
|
const unsigned char *extensions_end;
|
||||||
int hrr_required = 0;
|
int hrr_required = 0;
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
const unsigned char *cipher_suites;
|
const unsigned char *cipher_suites;
|
||||||
const unsigned char *pre_shared_key_ext = NULL;
|
const unsigned char *pre_shared_key_ext = NULL;
|
||||||
const unsigned char *pre_shared_key_ext_end = NULL;
|
const unsigned char *pre_shared_key_ext_end = NULL;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
|
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
|
||||||
|
|
||||||
@ -1400,7 +1400,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
* with CipherSuite defined as:
|
* with CipherSuite defined as:
|
||||||
* uint8 CipherSuite[2];
|
* uint8 CipherSuite[2];
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
cipher_suites = p;
|
cipher_suites = p;
|
||||||
#endif
|
#endif
|
||||||
cipher_suites_end = p + cipher_suites_len;
|
cipher_suites_end = p + cipher_suites_len;
|
||||||
@ -1581,7 +1581,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
|
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
|
case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
|
||||||
|
|
||||||
@ -1596,7 +1596,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
|
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
||||||
@ -1608,14 +1608,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||||
}
|
}
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/* Delay processing of the PSK identity once we have
|
/* Delay processing of the PSK identity once we have
|
||||||
* found out which algorithms to use. We keep a pointer
|
* found out which algorithms to use. We keep a pointer
|
||||||
* to the buffer and the size for later processing.
|
* to the buffer and the size for later processing.
|
||||||
*/
|
*/
|
||||||
pre_shared_key_ext = p;
|
pre_shared_key_ext = p;
|
||||||
pre_shared_key_ext_end = extension_data_end;
|
pre_shared_key_ext_end = extension_data_end;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
|
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -1669,7 +1669,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||||
p - buf );
|
p - buf );
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
/* Update checksum with either
|
/* Update checksum with either
|
||||||
* - The entire content of the CH message, if no PSK extension is present
|
* - The entire content of the CH message, if no PSK extension is present
|
||||||
* - The content up to but excluding the PSK extension, if present.
|
* - The content up to but excluding the PSK extension, if present.
|
||||||
@ -1698,7 +1698,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||||
{
|
{
|
||||||
ssl->handshake->update_checksum( ssl, buf, p - buf );
|
ssl->handshake->update_checksum( ssl, buf, p - buf );
|
||||||
}
|
}
|
||||||
@ -2154,7 +2154,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
|
|||||||
p += output_len;
|
p += output_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||||
if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||||
{
|
{
|
||||||
ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
|
ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
|
||||||
@ -2166,7 +2166,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
p += output_len;
|
p += output_len;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif
|
||||||
|
|
||||||
MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
|
MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
|
||||||
|
|
||||||
|
|||||||
@ -12981,6 +12981,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: Basic check, m->O" \
|
run_test "TLS 1.3: NewSessionTicket: Basic check, m->O" \
|
||||||
"$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 4" \
|
"$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 4" \
|
||||||
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
||||||
@ -12997,6 +12998,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \
|
run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \
|
||||||
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \
|
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \
|
||||||
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
||||||
@ -13015,6 +13017,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
# https://github.com/openssl/openssl/issues/10714
|
# https://github.com/openssl/openssl/issues/10714
|
||||||
# Until now, OpenSSL client does not support reconnect.
|
# Until now, OpenSSL client does not support reconnect.
|
||||||
skip_next_test
|
skip_next_test
|
||||||
@ -13033,6 +13036,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \
|
run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \
|
||||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
|
||||||
"$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
|
"$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
|
||||||
@ -13052,6 +13056,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \
|
run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \
|
||||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
|
||||||
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
||||||
@ -13105,6 +13110,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: servername check, m->m" \
|
run_test "TLS 1.3: NewSessionTicket: servername check, m->m" \
|
||||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||||
@ -13128,6 +13134,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_DEBUG_C
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
|
run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
|
||||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user