mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-01 13:13:28 +00:00
Merge pull request #6719 from yuhaoth/pr/tls13-early-data-add-early-data-of-client-hello
TLS 1.3: EarlyData SRV: Add early data extension parser.
This commit is contained in:
commit
95b735530c
@ -1840,7 +1840,7 @@ struct mbedtls_ssl_context {
|
||||
* and #MBEDTLS_SSL_CID_DISABLED. */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
int MBEDTLS_PRIVATE(early_data_status);
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
@ -5013,6 +5013,10 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl);
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/**
|
||||
* \brief Read at most 'len' application data bytes while performing
|
||||
@ -5122,9 +5126,6 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
|
||||
int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len);
|
||||
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2
|
||||
/**
|
||||
* \brief Get the status of the negotiation of the use of early data.
|
||||
*
|
||||
|
@ -2129,6 +2129,12 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
const unsigned char *end,
|
||||
size_t *out_len);
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED \
|
||||
MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
@ -1749,6 +1749,25 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
||||
return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
|
||||
|
||||
if ((handshake->received_extensions &
|
||||
MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
1, ("EarlyData: no early data extension received."));
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED;
|
||||
return;
|
||||
}
|
||||
|
||||
/* We do not accept early data for the time being */
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
|
||||
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
||||
/* Update the handshake state machine */
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -1775,6 +1794,11 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
/* There is enough information, update early data state. */
|
||||
ssl_tls13_update_early_data_status(ssl);
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
3
tests/data_files/tls13_early_data.txt
Normal file
3
tests/data_files/tls13_early_data.txt
Normal file
@ -0,0 +1,3 @@
|
||||
EarlyData context: line 0 lf
|
||||
EarlyData context: line 1 lf
|
||||
EarlyData context: If it appears, that means early_data received.
|
@ -493,3 +493,18 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \
|
||||
-S "No suitable key exchange mode" \
|
||||
-s "found matched identity"
|
||||
|
||||
requires_gnutls_next
|
||||
requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \
|
||||
MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
||||
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
run_test "TLS 1.3 G->m: EarlyData: feature is disabled, fail." \
|
||||
"$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1" \
|
||||
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \
|
||||
1 \
|
||||
-s "ClientHello: early_data(42) extension exists." \
|
||||
-s "EncryptedExtensions: early_data(42) extension does not exist." \
|
||||
-s "NewSessionTicket: early_data(42) extension does not exist." \
|
||||
-s "Last error was: -29056 - SSL - Verification of the message MAC failed"
|
||||
|
@ -72,6 +72,7 @@ guess_config_name() {
|
||||
: ${MBEDTLS_TEST_OUTCOME_FILE=}
|
||||
: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
|
||||
: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
|
||||
: ${EARLY_DATA_INPUT:=data_files/tls13_early_data.txt}
|
||||
|
||||
O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
|
||||
|
Loading…
x
Reference in New Issue
Block a user