mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8528 from yanrayw/issue/6933/parse-max_early_data_size

Browse Source 
TLS1.3 EarlyData: client: parse max_early_data_size
This commit is contained in:
Ronald Cron 2023-12-01 08:27:26 +00:00 committed by GitHub
commit 857d29f29a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
library/ssl_tls.c
View File

@ -306,7 +306,7 @@ static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old
{ {
unsigned char *resized_buffer = mbedtls_calloc(1, len_new); unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
if (resized_buffer == NULL) { if (resized_buffer == NULL) {
return -1; return MBEDTLS_ERR_SSL_ALLOC_FAILED;
} }
/* We want to copy len_new bytes when downsizing the buffer, and /* We want to copy len_new bytes when downsizing the buffer, and
@ -2623,8 +2623,7 @@ static int ssl_tls13_session_load(mbedtls_ssl_session *session,
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
defined(MBEDTLS_SSL_SESSION_TICKETS)
size_t hostname_len; size_t hostname_len;
/* load host name */ /* load host name */
if (end - p < 2) { if (end - p < 2) {
@ -2644,8 +2643,7 @@ static int ssl_tls13_session_load(mbedtls_ssl_session *session,
memcpy(session->hostname, p, hostname_len); memcpy(session->hostname, p, hostname_len);
p += hostname_len; p += hostname_len;
} }
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
if (end - p < 8) { if (end - p < 8) {

46
library/ssl_tls13_client.c
View File

@ -2647,6 +2647,37 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_EARLY_DATA)
/* From RFC 8446 section 4.2.10
*
* struct {
* select (Handshake.msg_type) {
* case new_session_ticket: uint32 max_early_data_size;
* ...
* };
* } EarlyDataIndication;
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_new_session_ticket_early_data_ext(
mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end)
{
mbedtls_ssl_session *session = ssl->session;
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
mbedtls_ssl_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
MBEDTLS_SSL_DEBUG_MSG(
3, ("received max_early_data_size: %u",
(unsigned int) session->max_early_data_size));
return 0;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl, static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
@ -2680,15 +2711,12 @@ static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
switch (extension_type) { switch (extension_type) {
#if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_EARLY_DATA)
case MBEDTLS_TLS_EXT_EARLY_DATA: case MBEDTLS_TLS_EXT_EARLY_DATA:
if (extension_data_len != 4) { ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
MBEDTLS_SSL_PEND_FATAL_ALERT( ssl, p, p + extension_data_len);
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, if (ret != 0) {
MBEDTLS_ERR_SSL_DECODE_ERROR); MBEDTLS_SSL_DEBUG_RET(
return MBEDTLS_ERR_SSL_DECODE_ERROR; 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
} ret);
if (ssl->session != NULL) {
ssl->session->ticket_flags |=
MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
} }
break; break;
#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_EARLY_DATA */

4
tests/opt-testcases/tls13-misc.sh
View File

@ -261,9 +261,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK \
--earlydata --maxearlydata 16384 --disable-client-cert" \
"$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \
0 \ 0 \
-c "received max_early_data_size: 16384" \
-c "Reconnecting with saved session" \ -c "Reconnecting with saved session" \
-c "NewSessionTicket: early_data(42) extension received." \ -c "NewSessionTicket: early_data(42) extension received." \
-c "ClientHello: early_data(42) extension exists." \ -c "ClientHello: early_data(42) extension exists." \