mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-10 15:45:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change cookie parameters for dtls and tls 1.3

Browse Source 
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-02-09 06:02:25 +00:00
parent 25c9c9023c
commit 9b93c0dd8d
4 changed files with 37 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
library/ssl_cli.c
View File

@ -608,7 +608,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->verify_cookie != NULL ) ssl->handshake->cookie != NULL )
{ {
return( 0 ); return( 0 );
} }
@ -846,7 +846,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
{ {
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
if( ssl->handshake->verify_cookie == NULL ) if( ssl->handshake->cookie == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
*p++ = 0; *p++ = 0;
@ -854,15 +854,15 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
else else
{ {
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
ssl->handshake->verify_cookie, ssl->handshake->cookie,
ssl->handshake->verify_cookie_len ); ssl->handshake->verify_cookie_len );
*p++ = ssl->handshake->verify_cookie_len; *p++ = ssl->handshake->verify_cookie_len;
MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SSL_CHK_BUF_PTR( p, end,
ssl->handshake->verify_cookie_len ); ssl->handshake->verify_cookie_len );
memcpy( p, ssl->handshake->verify_cookie, memcpy( p, ssl->handshake->cookie,
ssl->handshake->verify_cookie_len ); ssl->handshake->verify_cookie_len );
p += ssl->handshake->verify_cookie_len; p += ssl->handshake->verify_cookie_len;
} }
} }
@ -1645,16 +1645,16 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
} }
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
mbedtls_free( ssl->handshake->verify_cookie ); mbedtls_free( ssl->handshake->cookie );
ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); ssl->handshake->cookie = mbedtls_calloc( 1, cookie_len );
if( ssl->handshake->verify_cookie == NULL ) if( ssl->handshake->cookie == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
} }
memcpy( ssl->handshake->verify_cookie, p, cookie_len ); memcpy( ssl->handshake->cookie, p, cookie_len );
ssl->handshake->verify_cookie_len = cookie_len; ssl->handshake->verify_cookie_len = cookie_len;
/* Start over at ClientHello */ /* Start over at ClientHello */
@ -1736,8 +1736,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
else else
{ {
/* We made it through the verification process */ /* We made it through the verification process */
mbedtls_free( ssl->handshake->verify_cookie ); mbedtls_free( ssl->handshake->cookie );
ssl->handshake->verify_cookie = NULL; ssl->handshake->cookie = NULL;
ssl->handshake->verify_cookie_len = 0; ssl->handshake->verify_cookie_len = 0;
} }
} }

23
library/ssl_misc.h
View File

@ -704,17 +704,20 @@ struct mbedtls_ssl_handshake_params
} buffering; } buffering;
#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_CLI_C) && \
unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
* for dtls / tls 1.3 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
* Srv: unused */ * HelloRetryRequest cookie for TLS 1.3 */
unsigned char verify_cookie_len; /*!< Cli: cookie length for #endif /* MBEDTLS_SSL_CLI_C &&
* dtls / tls 1.3 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
* length
* Srv: flag for sending a cookie */ * Srv: flag for sending a cookie */
uint16_t hrr_cookie_len; /*!< Cli: hrr cookie length for #endif /* MBEDTLS_SSL_PROTO_DTLS */
* dtls / tls 1.3 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
* Srv: unused */ uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_CLI_C || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */

8
library/ssl_tls.c
View File

@ -3100,9 +3100,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_pk_free( &handshake->peer_pubkey ); mbedtls_pk_free( &handshake->peer_pubkey );
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_CLI_C) && \
mbedtls_free( handshake->verify_cookie ); ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */ mbedtls_free( handshake->cookie );
#endif /* MBEDTLS_SSL_CLI_C &&
( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_flight_free( handshake->flight ); mbedtls_ssl_flight_free( handshake->flight );

14
library/ssl_tls13_client.c
View File

@ -671,10 +671,10 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
mbedtls_free( handshake->verify_cookie ); mbedtls_free( handshake->cookie );
handshake->hrr_cookie_len = 0; handshake->hrr_cookie_len = 0;
handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); handshake->cookie = mbedtls_calloc( 1, cookie_len );
if( handshake->verify_cookie == NULL ) if( handshake->cookie == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, MBEDTLS_SSL_DEBUG_MSG( 1,
( "alloc failed ( %ud bytes )", ( "alloc failed ( %ud bytes )",
@ -682,7 +682,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
} }
memcpy( handshake->verify_cookie, p, cookie_len ); memcpy( handshake->cookie, p, cookie_len );
handshake->hrr_cookie_len = cookie_len; handshake->hrr_cookie_len = cookie_len;
return( 0 ); return( 0 );
@ -697,14 +697,14 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
*out_len = 0; *out_len = 0;
if( ssl->handshake->verify_cookie == NULL ) if( ssl->handshake->cookie == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
return( 0 ); return( 0 );
} }
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
ssl->handshake->verify_cookie, ssl->handshake->cookie,
ssl->handshake->hrr_cookie_len ); ssl->handshake->hrr_cookie_len );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->handshake->hrr_cookie_len + 6 ); MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->handshake->hrr_cookie_len + 6 );
@ -717,7 +717,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
p += 6; p += 6;
/* Cookie */ /* Cookie */
memcpy( p, ssl->handshake->verify_cookie, ssl->handshake->hrr_cookie_len ); memcpy( p, ssl->handshake->cookie, ssl->handshake->hrr_cookie_len );
*out_len = ssl->handshake->hrr_cookie_len + 6; *out_len = ssl->handshake->hrr_cookie_len + 6;