diff --git a/library/ssl_client.c b/library/ssl_client.c index 0f0ea1dc52..82695f1bc3 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -524,8 +524,8 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", handshake->cookie, - handshake->verify_cookie_len ); - cookie_len = handshake->verify_cookie_len; + handshake->cookie_len ); + cookie_len = handshake->cookie_len; } MBEDTLS_SSL_CHK_BUF_PTR( p, end, cookie_len + 1 ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 53d50f23c1..ab667a2ce1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -846,19 +846,33 @@ struct mbedtls_ssl_handshake_params } buffering; #if defined(MBEDTLS_SSL_CLI_C) && \ - ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) ) - unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS - * HelloRetryRequest cookie for TLS 1.3 */ + ( defined(MBEDTLS_SSL_PROTO_DTLS) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_3) ) + unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS + * HelloRetryRequest cookie for TLS 1.3 */ +#if !defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* RFC 6347 page 15 + ... + opaque cookie<0..2^8-1>; + ... + */ + uint8_t cookie_len; +#else + /* RFC 8446 page 39 + ... + opaque cookie<0..2^16-1>; + ... + If TLS1_3 is enabled, the max length is 2^16 - 1 + */ + uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length + * TLS1_3: HelloRetryRequest cookie length */ +#endif #endif /* MBEDTLS_SSL_CLI_C && - ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie - * length - * Srv: flag for sending a cookie */ -#endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) - uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */ -#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */ + ( MBEDTLS_SSL_PROTO_DTLS || + MBEDTLS_SSL_PROTO_TLS1_3 ) */ +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) + unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5def8b6caa..dd55456c9f 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1200,7 +1200,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) } memcpy( ssl->handshake->cookie, p, cookie_len ); - ssl->handshake->verify_cookie_len = cookie_len; + ssl->handshake->cookie_len = cookie_len; /* Start over at ClientHello */ ssl->state = MBEDTLS_SSL_CLIENT_HELLO; @@ -1284,7 +1284,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) /* We made it through the verification process */ mbedtls_free( ssl->handshake->cookie ); ssl->handshake->cookie = NULL; - ssl->handshake->verify_cookie_len = 0; + ssl->handshake->cookie_len = 0; } } #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index eeb579a5c5..5cdbcc0163 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1274,12 +1274,12 @@ read_record_header: ssl->cli_id, ssl->cli_id_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); - ssl->handshake->verify_cookie_len = 1; + ssl->handshake->cookie_verify_result = 1; } else { MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); - ssl->handshake->verify_cookie_len = 0; + ssl->handshake->cookie_verify_result = 0; } } else @@ -2244,7 +2244,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->verify_cookie_len != 0 ) + ssl->handshake->cookie_verify_result != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0109f776c0..839b954452 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -553,7 +553,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len ); mbedtls_free( handshake->cookie ); - handshake->hrr_cookie_len = 0; + handshake->cookie_len = 0; handshake->cookie = mbedtls_calloc( 1, cookie_len ); if( handshake->cookie == NULL ) { @@ -564,7 +564,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl, } memcpy( handshake->cookie, p, cookie_len ); - handshake->hrr_cookie_len = cookie_len; + handshake->cookie_len = cookie_len; return( 0 ); } @@ -587,21 +587,21 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", handshake->cookie, - handshake->hrr_cookie_len ); + handshake->cookie_len ); - MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->cookie_len + 6 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) ); MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 ); - MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 ); - MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 ); + MBEDTLS_PUT_UINT16_BE( handshake->cookie_len + 2, p, 2 ); + MBEDTLS_PUT_UINT16_BE( handshake->cookie_len, p, 4 ); p += 6; /* Cookie */ - memcpy( p, handshake->cookie, handshake->hrr_cookie_len ); + memcpy( p, handshake->cookie, handshake->cookie_len ); - *out_len = handshake->hrr_cookie_len + 6; + *out_len = handshake->cookie_len + 6; mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );