From eb69aee6af8cd0901fb34d3088fd99b78e9658ed Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Tue, 5 Jul 2022 08:21:43 +0000 Subject: [PATCH 1/9] Add psk code to tls13 client side Change-Id: I222b2c9d393889448e5e6ad06638536b54edb703 Signed-off-by: XiaokangQian --- library/ssl_client.c | 32 ++- library/ssl_misc.h | 63 ++++++ library/ssl_tls13_client.c | 442 ++++++++++++++++++++++++++++++++++++- tests/ssl-opt.sh | 13 ++ 4 files changed, 543 insertions(+), 7 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 20f1aff4b8..5e775cca41 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -432,7 +432,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *out_len ) + size_t *out_len, + size_t *binders_len ) { int ret; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -443,6 +444,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, int tls12_uses_ec = 0; *out_len = 0; + *binders_len = 0; #if defined(MBEDTLS_SSL_PROTO_TLS1_2) unsigned char propose_tls12 = @@ -641,6 +643,18 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + if( propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + { + ret = mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( + ssl, p, end, &output_len, binders_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + /* Write the length of the list of extensions. */ extensions_len = p - p_extensions_len - 2; @@ -837,7 +851,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) { int ret = 0; unsigned char *buf; - size_t buf_len, msg_len; + size_t buf_len, msg_len, binders_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); @@ -849,7 +863,8 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_write_client_hello_body( ssl, buf, buf + buf_len, - &msg_len ) ); + &msg_len, + &binders_len ) ); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) @@ -883,6 +898,17 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ { + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + if( binders_len > 0 ) + { + MBEDTLS_SSL_PROC_CHK( + mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( + ssl, buf + msg_len - binders_len, buf + msg_len ) ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, buf, msg_len ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 39a47cac79..5037e449b3 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2419,4 +2419,67 @@ int mbedtls_ssl_check_dtls_clihlo_cookie( unsigned char *obuf, size_t buf_len, size_t *olen ); #endif +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* Check if we have any PSK to offer, returns 0 if PSK is available. + * Assign the psk and ticket if pointers are present. + */ +static inline int mbedtls_ssl_get_psk_to_offer( + const mbedtls_ssl_context *ssl, + const unsigned char **psk, size_t *psk_len, + const unsigned char **psk_identity, size_t *psk_identity_len ) +{ + int ptrs_present = 0; + + if( psk != NULL && psk_len != NULL && + psk_identity != NULL && psk_identity_len != NULL ) + { + ptrs_present = 1; + } + + /* Check if an external PSK has been configured. */ + if( ssl->conf->psk != NULL ) + { + if( ptrs_present ) + { + *psk = ssl->conf->psk; + *psk_len = ssl->conf->psk_len; + *psk_identity = ssl->conf->psk_identity; + *psk_identity_len = ssl->conf->psk_identity_len; + } + return( 0 ); + } + + return( 1 ); +} + +/** + * \brief Given an SSL context and its associated configuration, write the TLS + * 1.3 specific Pre-Shared key extension. + * + * \param[in] ssl SSL context + * \param[in] buf Base address of the buffer where to write the extension + * \param[in] end End address of the buffer where to write the extension + * \param[out] out_len Length of the data written into the buffer \p buf + * \param[out] binders_len Length of the binders to be written at the end of + * extension + */ +int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end, + size_t *out_len, size_t *binders_len ); + +/** + * \brief Given an SSL context and its associated configuration, write the TLS + * 1.3 specific Pre-Shared key extension binders at the end of the + * ClientHello. + * + * \param[in] ssl SSL context + * \param[in] buf Base address of the buffer where to write the extension + * \param[in] end End address of the buffer where to write the extension + */ +int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end ); +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 183b6ee066..62f00fac8c 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -595,6 +595,320 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, return( 0 ); } +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* + * ssl_tls13_write_psk_key_exchange_modes_ext() structure: + * + * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; + * + * struct { + * PskKeyExchangeMode ke_modes<1..255>; + * } PskKeyExchangeModes; + */ +static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) +{ + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; + unsigned char *p = buf; + int num_modes = 0; + + ((void) num_modes ); + *out_len = 0; + /* Skip writing extension if no PSK key exchange mode + * is enabled in the config. + */ + if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) || + mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) ); + return( 0 ); + } + + /* Require 7 bytes of data, otherwise fail, + * even if extension might be shorter. + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); + + /* Extension Type */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 ); + + /* Skip extension length (2 byte) and + * PSK mode list length (1 byte) for now. + */ + p += 5; + + if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) ) + { + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; + num_modes++; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) ); + } + + if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) + { + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; + num_modes++; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) ); + } + + /* Add extension length: PSK mode list length byte + actual + * PSK mode list length + */ + MBEDTLS_PUT_UINT16_BE( num_modes + 1, buf, 2 ); + /* Add PSK mode list length */ + buf[4] = num_modes; + + *out_len = p - buf; + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; + return ( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + +/* + * mbedtls_ssl_tls13_write_pre_shared_key_ext() structure: + * + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * select ( Handshake.msg_type ) { + * + * case client_hello: + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * + * case server_hello: + * uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * + * + * part = 0 ==> everything up to the PSK binder list, + * returning the binder list length in `binder_list_length`. + * part = 1 ==> the PSK binder list + */ + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + +int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end, + size_t *out_len, size_t *binders_len ) +{ + unsigned char *p = buf; + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; + const mbedtls_ssl_ciphersuite_t *suite_info = NULL; + const int *ciphersuites; + int hash_len = 0; + size_t identities_len, l_binders_len; + uint32_t obfuscated_ticket_age = 0; + psa_algorithm_t psa_hash_alg; + + *out_len = 0; + *binders_len = 0; + + /* Check if we have any PSKs to offer. If so, return the first. + * + * NOTE: Ultimately, we want to be able to offer multiple PSKs, + * in which case we want to iterate over them here. + * + * As it stands, however, we only ever offer one, chosen + * by the following heuristic: + * - If a ticket has been configured, offer the corresponding PSK. + * - If no ticket has been configured by an external PSK has been + * configured, offer that. + * - Otherwise, skip the PSK extension. + */ + + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); + return( 0 ); + } + + /* + * Ciphersuite list + */ + ciphersuites = ssl->conf->ciphersuite_list; + for ( int i = 0; ciphersuites[i] != 0; i++ ) + { + suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); + + if( suite_info == NULL ) + continue; + + /* In this implementation we only add one pre-shared-key extension. */ + ssl->session_negotiate->ciphersuite = ciphersuites[i]; + ssl->handshake->ciphersuite_info = suite_info; + break; + } + + if( suite_info != NULL ) + { + psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac ); + hash_len = PSA_HASH_LENGTH( psa_hash_alg ); + } + if( hash_len == -1 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* Check if we have space to write the extension, binder included. + * - extension_type (2 bytes) + * - extension_data_len (2 bytes) + * - identities_len (2 bytes) + * - identity_len (2 bytes) + * - identity (psk_identity_len bytes) + * - obfuscated_ticket_age (4 bytes) + * - binders_len (2 bytes) + * - binder_len (1 byte) + * - binder (hash_len bytes) + */ + + identities_len = 6 + psk_identity_len; + l_binders_len = 1 + hash_len; + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 2 + identities_len + 2 + l_binders_len ); + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "client hello, adding pre_shared_key extension, " + "omitting PSK binder list" ) ); + + /* Extension header */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); + MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 ); + + MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 ); + MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 ); + p += 8; + memcpy( p, psk_identity, psk_identity_len ); + p += psk_identity_len; + + /* add obfuscated ticket age */ + MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 ); + p += 4; + + *out_len = ( p - buf ) + l_binders_len + 2; + *binders_len = l_binders_len + 2; + + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + + return( 0 ); +} + +int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *p = buf; + const mbedtls_ssl_ciphersuite_t *suite_info = NULL; + const int *ciphersuites; + int hash_len = 0; + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; + int psk_type; + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; + psa_algorithm_t psa_hash_alg; + + /* Check if we have any PSKs to offer. If so, return the first. + * + * NOTE: Ultimately, we want to be able to offer multiple PSKs, + * in which case we want to iterate over them here. + * + * As it stands, however, we only ever offer one, chosen + * by the following heuristic: + * - If a ticket has been configured, offer the corresponding PSK. + * - If no ticket has been configured by an external PSK has been + * configured, offer that. + * - Otherwise, skip the PSK extension. + */ + + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* + * Ciphersuite list + */ + ciphersuites = ssl->conf->ciphersuite_list; + for ( int i = 0; ciphersuites[i] != 0; i++ ) + { + suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); + + if( suite_info == NULL ) + continue; + + /* In this implementation we only add one pre-shared-key extension. */ + ssl->session_negotiate->ciphersuite = ciphersuites[i]; + ssl->handshake->ciphersuite_info = suite_info; + break; + } + + if( suite_info != NULL ) + { + psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac ); + hash_len = PSA_HASH_LENGTH( psa_hash_alg ); + } + if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) ); + + /* 2 bytes length field for array of psk binders */ + MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 ); + p += 2; + + /* 1 bytes length field for next psk binder */ + *p++ = MBEDTLS_BYTE_0( hash_len ); + + if( ssl->handshake->resume == 1 ) + psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; + else + psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + + /* Get current state of handshake transcript. */ + ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac, + transcript, sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, + mbedtls_psa_translate_md( suite_info->mac ), + psk, psk_len, psk_type, + transcript, p ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret ); + return( ret ); + } + + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, @@ -631,6 +945,22 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, p += ext_len; } +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + /* For PSK-based key exchange we need the pre_shared_key extension + * and the psk_key_exchange_modes extension. + * + * The pre_shared_key extension MUST be the last extension in the + * ClientHello. Servers MUST check that it is the last extension and + * otherwise fail the handshake with an "illegal_parameter" alert. + * + * Add the psk_key_exchange_modes extension. + */ + ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len ); + if( ret != 0 ) + return( ret ); + p += ext_len; +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + *out_len = p - buf; return( 0 ); @@ -929,6 +1259,98 @@ static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ss return( 0 ); } +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * select ( Handshake.msg_type ) { + * case client_hello: + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * case server_hello: + * uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * + */ + +static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + int ret = 0; + size_t selected_identity; + + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; + + + /* Check which PSK we've offered. + * + * NOTE: Ultimately, we want to offer multiple PSKs, and in this + * case, we need to iterate over them here. + */ + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + /* If we haven't offered a PSK, the server must not send + * a PSK identity extension. */ + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + if( len != (size_t) 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 ); + + /* We have offered only one PSK, so the only valid choice + * for the server is PSK index 0. + * + * This will change once we support multiple PSKs. */ + if( selected_identity > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) ); + + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 ) + { + return( ret ); + } + + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + /* Set the chosen PSK + * + * TODO: We don't have to do this in case we offered 0-RTT and the + * server accepted it, because in this case we've already + * set the handshake PSK. */ + ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); + return( ret ); + } + + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + return( 0 ); +} + +#endif + /* Parse ServerHello message and configure context * * struct { @@ -1139,12 +1561,24 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, goto cleanup; break; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + if( is_hrr ) + { + fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + goto cleanup; + } - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; + if( ( ret = ssl_tls13_parse_server_psk_identity_ext( + ssl, p, extension_data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, ( "ssl_tls13_parse_server_psk_identity_ext" ), ret ); + return( ret ); + } + break; +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ case MBEDTLS_TLS_EXT_KEY_SHARE: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 942d705242..ec2ac69b1c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11985,6 +11985,19 @@ run_test "TLS 1.3: Server side check - mbedtls with sni" \ -s "parse ServerName extension" \ -s "HTTP/1.0 200 OK" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3, default suite, PSK" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + 1 \ + -c "=> write client hello" \ + -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ + -c "client hello, adding psk_key_exchange_modes extension" \ + -c "client hello, adding PSK binder list" \ + -c "<= write client hello" + for i in opt-testcases/*.sh do TEST_SUITE_NAME=${i##*/} From 008d2bf80b813138d1375bc73ab617812cd7103d Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Thu, 14 Jul 2022 07:54:01 +0000 Subject: [PATCH 2/9] Address comments in psk client review Improve comments Refine cipher suite related code in psk Refine get_psk_offered() Change-Id: Ic3b0b5f86eb1e71f11bb499961aa8494284f1840 Signed-off-by: XiaokangQian --- library/ssl_client.c | 2 +- library/ssl_misc.h | 39 +++------ library/ssl_tls13_client.c | 152 ++++++++++++------------------------ library/ssl_tls13_generic.c | 38 +++++++++ 4 files changed, 97 insertions(+), 134 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 5e775cca41..8e4e9688fa 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -653,7 +653,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, return( ret ); p += output_len; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* Write the length of the list of extensions. */ extensions_len = p - p_extensions_len - 2; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5037e449b3..30c3c3a64c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2423,34 +2423,11 @@ int mbedtls_ssl_check_dtls_clihlo_cookie( /* Check if we have any PSK to offer, returns 0 if PSK is available. * Assign the psk and ticket if pointers are present. */ -static inline int mbedtls_ssl_get_psk_to_offer( +int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, + int *psk_type, const unsigned char **psk, size_t *psk_len, - const unsigned char **psk_identity, size_t *psk_identity_len ) -{ - int ptrs_present = 0; - - if( psk != NULL && psk_len != NULL && - psk_identity != NULL && psk_identity_len != NULL ) - { - ptrs_present = 1; - } - - /* Check if an external PSK has been configured. */ - if( ssl->conf->psk != NULL ) - { - if( ptrs_present ) - { - *psk = ssl->conf->psk; - *psk_len = ssl->conf->psk_len; - *psk_identity = ssl->conf->psk_identity; - *psk_identity_len = ssl->conf->psk_identity_len; - } - return( 0 ); - } - - return( 1 ); -} + const unsigned char **psk_identity, size_t *psk_identity_len ); /** * \brief Given an SSL context and its associated configuration, write the TLS @@ -2459,9 +2436,11 @@ static inline int mbedtls_ssl_get_psk_to_offer( * \param[in] ssl SSL context * \param[in] buf Base address of the buffer where to write the extension * \param[in] end End address of the buffer where to write the extension - * \param[out] out_len Length of the data written into the buffer \p buf + * \param[out] out_len Length in bytes of the Pre-Shared key extension: data + * written into the buffer \p buf by this function plus + * the length of the binders to be written. * \param[out] binders_len Length of the binders to be written at the end of - * extension + * the extension. */ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( mbedtls_ssl_context *ssl, @@ -2474,8 +2453,8 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( * ClientHello. * * \param[in] ssl SSL context - * \param[in] buf Base address of the buffer where to write the extension - * \param[in] end End address of the buffer where to write the extension + * \param[in] buf Base address of the buffer where to write the binders + * \param[in] end End address of the buffer where to write the binders */ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( mbedtls_ssl_context *ssl, diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 62f00fac8c..6e82631f94 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -615,15 +615,16 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, const unsigned char *psk_identity; size_t psk_identity_len; unsigned char *p = buf; - int num_modes = 0; + int ke_modes_len = 0; - ((void) num_modes ); + ((void) ke_modes_len ); *out_len = 0; + /* Skip writing extension if no PSK key exchange mode - * is enabled in the config. + * is enabled in the config or there is no PSK to offer. */ if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) || - mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len, &psk_identity, &psk_identity_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) ); @@ -637,18 +638,17 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); - /* Extension Type */ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 ); - /* Skip extension length (2 byte) and - * PSK mode list length (1 byte) for now. + /* Skip extension length (2 bytes) and + * ke_modes length (1 byte) for now. */ p += 5; if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) ) { *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; - num_modes++; + ke_modes_len++; MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) ); } @@ -656,17 +656,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) { *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; - num_modes++; + ke_modes_len++; MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) ); } - /* Add extension length: PSK mode list length byte + actual - * PSK mode list length - */ - MBEDTLS_PUT_UINT16_BE( num_modes + 1, buf, 2 ); - /* Add PSK mode list length */ - buf[4] = num_modes; + /* Now write the extension and ke_modes length */ + MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 ); + buf[4] = ke_modes_len; *out_len = p - buf; ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; @@ -685,22 +682,12 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, * opaque PskBinderEntry<32..255>; * * struct { - * select ( Handshake.msg_type ) { * - * case client_hello: - * PskIdentity identities<7..2^16-1>; - * PskBinderEntry binders<33..2^16-1>; - * - * case server_hello: - * uint16 selected_identity; - * }; + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; * * } PreSharedKeyExtension; * - * - * part = 0 ==> everything up to the PSK binder list, - * returning the binder list length in `binder_list_length`. - * part = 1 ==> the PSK binder list */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) @@ -715,12 +702,12 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( size_t psk_len; const unsigned char *psk_identity; size_t psk_identity_len; - const mbedtls_ssl_ciphersuite_t *suite_info = NULL; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; const int *ciphersuites; + psa_algorithm_t psa_hash_alg; int hash_len = 0; size_t identities_len, l_binders_len; uint32_t obfuscated_ticket_age = 0; - psa_algorithm_t psa_hash_alg; *out_len = 0; *binders_len = 0; @@ -738,7 +725,7 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( * - Otherwise, skip the PSK extension. */ - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + if( mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len, &psk_identity, &psk_identity_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); @@ -751,22 +738,27 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( ciphersuites = ssl->conf->ciphersuite_list; for ( int i = 0; ciphersuites[i] != 0; i++ ) { - suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - if( suite_info == NULL ) + if( mbedtls_ssl_validate_ciphersuite( + ssl, ciphersuite_info, + MBEDTLS_SSL_VERSION_TLS1_3, + MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 ) continue; /* In this implementation we only add one pre-shared-key extension. */ ssl->session_negotiate->ciphersuite = ciphersuites[i]; - ssl->handshake->ciphersuite_info = suite_info; break; } - if( suite_info != NULL ) - { - psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac ); - hash_len = PSA_HASH_LENGTH( psa_hash_alg ); - } + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite ); + /* No suitable ciphersuite for the PSK */ + if( ciphersuite_info == NULL ) + return( 0 ); + + psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + hash_len = PSA_HASH_LENGTH( psa_hash_alg ); if( hash_len == -1 ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -818,64 +810,28 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; - const mbedtls_ssl_ciphersuite_t *suite_info = NULL; - const int *ciphersuites; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; + psa_algorithm_t psa_hash_alg; int hash_len = 0; - const unsigned char *psk; - size_t psk_len; - const unsigned char *psk_identity; - size_t psk_identity_len; + const unsigned char *psk = NULL; + size_t psk_len = 0; int psk_type; unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; size_t transcript_len; - psa_algorithm_t psa_hash_alg; - /* Check if we have any PSKs to offer. If so, return the first. - * - * NOTE: Ultimately, we want to be able to offer multiple PSKs, - * in which case we want to iterate over them here. - * - * As it stands, however, we only ever offer one, chosen - * by the following heuristic: - * - If a ticket has been configured, offer the corresponding PSK. - * - If no ticket has been configured by an external PSK has been - * configured, offer that. - * - Otherwise, skip the PSK extension. - */ + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite ); + if( ciphersuite_info == NULL ) + return( 0 ); - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, - &psk_identity, &psk_identity_len ) != 0 ) - { - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - /* - * Ciphersuite list - */ - ciphersuites = ssl->conf->ciphersuite_list; - for ( int i = 0; ciphersuites[i] != 0; i++ ) - { - suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - - if( suite_info == NULL ) - continue; - - /* In this implementation we only add one pre-shared-key extension. */ - ssl->session_negotiate->ciphersuite = ciphersuites[i]; - ssl->handshake->ciphersuite_info = suite_info; - break; - } - - if( suite_info != NULL ) - { - psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac ); - hash_len = PSA_HASH_LENGTH( psa_hash_alg ); - } + psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + hash_len = PSA_HASH_LENGTH( psa_hash_alg ); if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 + hash_len ); /* 2 bytes length field for array of psk binders */ MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 ); p += 2; @@ -889,14 +845,14 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; /* Get current state of handshake transcript. */ - ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac, + ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac, transcript, sizeof( transcript ), &transcript_len ); if( ret != 0 ) return( ret ); ret = mbedtls_ssl_tls13_create_psk_binder( ssl, - mbedtls_psa_translate_md( suite_info->mac ), + mbedtls_psa_translate_md( ciphersuite_info->mac ), psk, psk_len, psk_type, transcript, p ); if( ret != 0 ) @@ -1269,13 +1225,8 @@ static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ss * opaque PskBinderEntry<32..255>; * * struct { - * select ( Handshake.msg_type ) { - * case client_hello: - * PskIdentity identities<7..2^16-1>; - * PskBinderEntry binders<33..2^16-1>; - * case server_hello: - * uint16 selected_identity; - * }; + * + * uint16 selected_identity; * * } PreSharedKeyExtension; * @@ -1283,7 +1234,7 @@ static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ss static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, - size_t len ) + const unsigned char *end ) { int ret = 0; size_t selected_identity; @@ -1299,7 +1250,7 @@ static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, * NOTE: Ultimately, we want to offer multiple PSKs, and in this * case, we need to iterate over them here. */ - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + if( mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len, &psk_identity, &psk_identity_len ) != 0 ) { /* If we haven't offered a PSK, the server must not send @@ -1307,12 +1258,7 @@ static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - if( len != (size_t) 2 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } - + MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 2 ); selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 ); /* We have offered only one PSK, so the only valid choice @@ -1571,7 +1517,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, } if( ( ret = ssl_tls13_parse_server_psk_identity_ext( - ssl, p, extension_data_len ) ) != 0 ) + ssl, p, extension_data_end ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_server_psk_identity_ext" ), ret ); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 265d6d3097..4cd0d0e267 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1505,4 +1505,42 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* Check if we have any PSK to offer, returns 0 if PSK is available. + * Assign the psk and ticket if pointers are present. + */ +int mbedtls_ssl_get_psk_to_offer( + const mbedtls_ssl_context *ssl, + int *psk_type, + const unsigned char **psk, size_t *psk_len, + const unsigned char **psk_identity, size_t *psk_identity_len ) +{ + int ptrs_present = 0; + + if( psk != NULL && psk_len != NULL && + psk_identity != NULL && psk_identity_len != NULL ) + { + ptrs_present = 1; + } + + /* Check if an external PSK has been configured. */ + if( ssl->conf->psk != NULL ) + { + if( ptrs_present ) + { + *psk = ssl->conf->psk; + *psk_len = ssl->conf->psk_len; + *psk_identity = ssl->conf->psk_identity; + *psk_identity_len = ssl->conf->psk_identity_len; + } + + if( psk_type != NULL ) + *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + return( 0 ); + } + + return( 1 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ From adab9a64400796fb53a1911dc2ec9e6a2b16450f Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Mon, 18 Jul 2022 07:41:26 +0000 Subject: [PATCH 3/9] Fix transcript issues and add cases against openssl Change-Id: I496674bdb79f074368f11beaa604ce17a3062bc3 Signed-off-by: XiaokangQian --- library/ssl_client.c | 7 +++++-- library/ssl_misc.h | 3 +++ library/ssl_tls.c | 6 +++--- library/ssl_tls13_client.c | 8 ++++++++ tests/ssl-opt.sh | 31 +++++++++++++++++++++++++++++++ 5 files changed, 50 insertions(+), 5 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 8e4e9688fa..afe07e815e 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -899,6 +899,9 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ { + mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, + msg_len ); + ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) if( binders_len > 0 ) @@ -907,10 +910,10 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( ssl, buf + msg_len - binders_len, buf + msg_len ) ); } + ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len, + binders_len ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - buf, msg_len ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len ) ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 30c3c3a64c..f55dede2a8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1336,6 +1336,9 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ); /* * Update checksum of handshake messages. */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e60b82fa5f..5a72fede49 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -532,9 +532,9 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, } } -static void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len ) +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ) { unsigned char hs_hdr[4]; diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 6e82631f94..43a84867f7 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -810,6 +810,8 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; + const unsigned char *psk_identity; + size_t psk_identity_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; psa_algorithm_t psa_hash_alg; int hash_len = 0; @@ -819,6 +821,12 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; size_t transcript_len; + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); if( ciphersuite_info == NULL ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ec2ac69b1c..b8b377e7ff 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11998,6 +11998,37 @@ run_test "TLS 1.3, default suite, PSK" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3, default suite, PSK - openssl" \ + "$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ + "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + 1 \ + -c "=> write client hello" \ + -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ + -c "client hello, adding psk_key_exchange_modes extension" \ + -c "client hello, adding PSK binder list" \ + -c "<= write client hello" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3, default suite, PSK - gnutls" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+CIPHER-ALL:%NO_TICKETS --pskhint=0a0b0c" \ + "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + 1 \ + -c "=> write client hello" \ + -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ + -c "client hello, adding psk_key_exchange_modes extension" \ + -c "client hello, adding PSK binder list" \ + -c "<= write client hello" + for i in opt-testcases/*.sh do TEST_SUITE_NAME=${i##*/} From 86981955666dd9284213668de7e887009f5b2338 Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Tue, 19 Jul 2022 09:51:50 +0000 Subject: [PATCH 4/9] Address comments of various issues Improve comments Change coding style Rename functions Change-Id: Ia111aef303932cfeee693431c3d48f90342b32e5 Signed-off-by: XiaokangQian --- library/ssl_client.c | 9 +++-- library/ssl_misc.h | 12 ++++--- library/ssl_tls13_client.c | 66 ++++++++++++++++++++----------------- library/ssl_tls13_generic.c | 6 ++-- 4 files changed, 53 insertions(+), 40 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index afe07e815e..ee5a78a49c 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -645,6 +645,9 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11) + * MUST be the last extension in the ClientHello. + */ if( propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) { ret = mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( @@ -907,11 +910,11 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( binders_len > 0 ) { MBEDTLS_SSL_PROC_CHK( - mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( + mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( ssl, buf + msg_len - binders_len, buf + msg_len ) ); + ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len, + binders_len ); } - ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len, - binders_len ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, diff --git a/library/ssl_misc.h b/library/ssl_misc.h index f55dede2a8..295ff9f239 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1336,9 +1336,6 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); -void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len ); /* * Update checksum of handshake messages. */ @@ -1347,6 +1344,10 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ); + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if !defined(MBEDTLS_USE_PSA_CRYPTO) MBEDTLS_CHECK_RETURN_CRITICAL @@ -2426,6 +2427,7 @@ int mbedtls_ssl_check_dtls_clihlo_cookie( /* Check if we have any PSK to offer, returns 0 if PSK is available. * Assign the psk and ticket if pointers are present. */ +MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, int *psk_type, @@ -2445,6 +2447,7 @@ int mbedtls_ssl_get_psk_to_offer( * \param[out] binders_len Length of the binders to be written at the end of * the extension. */ +MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, @@ -2459,7 +2462,8 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( * \param[in] buf Base address of the buffer where to write the binders * \param[in] end End address of the buffer where to write the binders */ -int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end ); #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 43a84867f7..37e57e8d9d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -605,15 +605,12 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, * PskKeyExchangeMode ke_modes<1..255>; * } PskKeyExchangeModes; */ +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len ) { - const unsigned char *psk; - size_t psk_len; - const unsigned char *psk_identity; - size_t psk_identity_len; unsigned char *p = buf; int ke_modes_len = 0; @@ -623,9 +620,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, /* Skip writing extension if no PSK key exchange mode * is enabled in the config or there is no PSK to offer. */ - if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) || - mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len, - &psk_identity, &psk_identity_len ) != 0 ) + if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) ); return( 0 ); @@ -682,10 +677,15 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, * opaque PskBinderEntry<32..255>; * * struct { + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * } OfferedPsks; * - * PskIdentity identities<7..2^16-1>; - * PskBinderEntry binders<33..2^16-1>; - * + * struct { + * select (Handshake.msg_type) { + * case client_hello: OfferedPsks; + * ... + * }; * } PreSharedKeyExtension; * */ @@ -702,6 +702,7 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( size_t psk_len; const unsigned char *psk_identity; size_t psk_identity_len; + int psk_type; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; const int *ciphersuites; psa_algorithm_t psa_hash_alg; @@ -725,7 +726,7 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( * - Otherwise, skip the PSK extension. */ - if( mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len, + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len, &psk_identity, &psk_identity_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); @@ -736,19 +737,25 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( * Ciphersuite list */ ciphersuites = ssl->conf->ciphersuite_list; - for ( int i = 0; ciphersuites[i] != 0; i++ ) + if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL ) { - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); + for( int i = 0; ciphersuites[i] != 0; i++ ) + { + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( + ciphersuites[i] ); - if( mbedtls_ssl_validate_ciphersuite( + if( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 ) - continue; + continue; - /* In this implementation we only add one pre-shared-key extension. */ - ssl->session_negotiate->ciphersuite = ciphersuites[i]; - break; + /* In this implementation we only add one pre-shared-key + * extension. + */ + ssl->session_negotiate->ciphersuite = ciphersuites[i]; + break; + } } ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( @@ -804,7 +811,7 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( return( 0 ); } -int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( +int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end ) { @@ -847,11 +854,6 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders( /* 1 bytes length field for next psk binder */ *p++ = MBEDTLS_BYTE_0( hash_len ); - if( ssl->handshake->resume == 1 ) - psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; - else - psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; - /* Get current state of handshake transcript. */ ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac, transcript, sizeof( transcript ), @@ -1234,15 +1236,19 @@ static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ss * * struct { * - * uint16 selected_identity; + * select (Handshake.msg_type) { + * ... + * case server_hello: uint16 selected_identity; + * }; * * } PreSharedKeyExtension; * */ -static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end ) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) { int ret = 0; size_t selected_identity; @@ -1524,11 +1530,11 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, goto cleanup; } - if( ( ret = ssl_tls13_parse_server_psk_identity_ext( + if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext( ssl, p, extension_data_end ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( - 1, ( "ssl_tls13_parse_server_psk_identity_ext" ), ret ); + 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret ); return( ret ); } break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 4cd0d0e267..9fd246df61 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1509,6 +1509,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( /* Check if we have any PSK to offer, returns 0 if PSK is available. * Assign the psk and ticket if pointers are present. */ +MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, int *psk_type, @@ -1517,7 +1518,7 @@ int mbedtls_ssl_get_psk_to_offer( { int ptrs_present = 0; - if( psk != NULL && psk_len != NULL && + if( psk_type != NULL && psk != NULL && psk_len != NULL && psk_identity != NULL && psk_identity_len != NULL ) { ptrs_present = 1; @@ -1528,14 +1529,13 @@ int mbedtls_ssl_get_psk_to_offer( { if( ptrs_present ) { + *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; *psk = ssl->conf->psk; *psk_len = ssl->conf->psk_len; *psk_identity = ssl->conf->psk_identity; *psk_identity_len = ssl->conf->psk_identity_len; } - if( psk_type != NULL ) - *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; return( 0 ); } From 7c12d3181354675ef3df9450bd5e9e3e77c30ece Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Wed, 20 Jul 2022 07:25:43 +0000 Subject: [PATCH 5/9] Refine comments for psk related code Change-Id: Iff5c176bb902919abc8d4fb78a185aa68704a791 Signed-off-by: XiaokangQian --- library/ssl_tls13_client.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 37e57e8d9d..5c693bdb0e 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -618,7 +618,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, *out_len = 0; /* Skip writing extension if no PSK key exchange mode - * is enabled in the config or there is no PSK to offer. + * is enabled in the config. */ if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) { @@ -733,12 +733,12 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( return( 0 ); } - /* - * Ciphersuite list - */ - ciphersuites = ssl->conf->ciphersuite_list; if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL ) { + /* + * Ciphersuite list + */ + ciphersuites = ssl->conf->ciphersuite_list; for( int i = 0; ciphersuites[i] != 0; i++ ) { ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( From 088c92977e71787b484ad731e76bd868e73b6a5e Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Wed, 20 Jul 2022 10:43:34 +0000 Subject: [PATCH 6/9] Remove useless force cipher suite Change-Id: Ib217806b4d44dea11515dd3ee1463d29431d70bb Signed-off-by: XiaokangQian --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b8b377e7ff..a0ddd81f22 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12005,7 +12005,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, default suite, PSK - openssl" \ "$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ - "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 1 \ -c "=> write client hello" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ @@ -12021,7 +12021,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, default suite, PSK - gnutls" \ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+CIPHER-ALL:%NO_TICKETS --pskhint=0a0b0c" \ - "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 1 \ -c "=> write client hello" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ From 3ad67bf4e384d71f5f85309c6a397e822c8b29f1 Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Thu, 21 Jul 2022 02:26:21 +0000 Subject: [PATCH 7/9] Rename functions and add test messages Change-Id: Iab51b031ae82d7b2d384de708858be64be75f9ed Signed-off-by: XiaokangQian --- library/ssl_client.c | 2 +- library/ssl_misc.h | 2 +- library/ssl_tls13_client.c | 2 +- library/ssl_tls13_generic.c | 1 - tests/ssl-opt.sh | 2 ++ 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index ee5a78a49c..e7453d5730 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -650,7 +650,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, */ if( propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) { - ret = mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( + ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( ssl, p, end, &output_len, binders_len ); if( ret != 0 ) return( ret ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 295ff9f239..ca57114220 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2448,7 +2448,7 @@ int mbedtls_ssl_get_psk_to_offer( * the extension. */ MBEDTLS_CHECK_RETURN_CRITICAL -int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( +int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len, size_t *binders_len ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5c693bdb0e..b23b0c54e9 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -692,7 +692,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders( +int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len, size_t *binders_len ) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 9fd246df61..1e63c776ea 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1509,7 +1509,6 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( /* Check if we have any PSK to offer, returns 0 if PSK is available. * Assign the psk and ticket if pointers are present. */ -MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, int *psk_type, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a0ddd81f22..1b94773a63 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12027,6 +12027,8 @@ run_test "TLS 1.3, default suite, PSK - gnutls" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ + -s "Parsing extension 'PSK Key Exchange Modes/45'" \ + -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" for i in opt-testcases/*.sh From bee71453b2643445427c6ff49e2d12fd2491f3ca Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Thu, 21 Jul 2022 08:19:06 +0000 Subject: [PATCH 8/9] Improve the buffer pointer check in write pre_shared key Signed-off-by: XiaokangQian --- library/ssl_tls13_client.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b23b0c54e9..0a7edc13ec 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -783,26 +783,29 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( identities_len = 6 + psk_identity_len; l_binders_len = 1 + hash_len; - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 2 + identities_len + 2 + l_binders_len ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding pre_shared_key extension, " "omitting PSK binder list" ) ); /* Extension header */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 ); MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 ); MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 ); MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 ); p += 8; + MBEDTLS_SSL_CHK_BUF_PTR( p, end, psk_identity_len ); memcpy( p, psk_identity, psk_identity_len ); p += psk_identity_len; /* add obfuscated ticket age */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 ); p += 4; + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 + l_binders_len ); *out_len = ( p - buf ) + l_binders_len + 2; *binders_len = l_binders_len + 2; From 34e90fac27c057bedc1a4a97d080f4f8f9f3bb0c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 21 Jul 2022 15:31:14 +0200 Subject: [PATCH 9/9] TLS 1.3: tests: Allow PSK exchange mode on GnuTLS server Allow PSK exchange mode on GnuTLS server for NewSessionTicket message test as otherwise the GnuTLS server does not send tickets. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1b94773a63..bffed6ced5 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12665,7 +12665,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \ "$P_CLI debug_level=4" \ 0 \ -c "Protocol is TLSv1.3" \