diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 508a5e34ad..fba8f8f846 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -605,6 +605,8 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) +#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE + /* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 @@ -1052,10 +1054,10 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); typedef struct { - unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; } mbedtls_ssl_tls1_3_application_secrets; #if defined(MBEDTLS_SSL_DTLS_SRTP) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6b9bc599de..89a5d4313f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -307,8 +307,6 @@ + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) #endif -#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE - #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 @@ -724,7 +722,7 @@ struct mbedtls_ssl_handshake_params /* Buffer holding digest of the handshake up to * but excluding the outgoing finished message. */ - unsigned char digest[MBEDTLS_MD_MAX_SIZE]; + unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t digest_len; } finished_out; @@ -733,48 +731,10 @@ struct mbedtls_ssl_handshake_params { /* Buffer holding digest of the handshake up to but * excluding the peer's incoming finished message. */ - unsigned char digest[MBEDTLS_MD_MAX_SIZE]; + unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t digest_len; } finished_in; -#if defined(MBEDTLS_SSL_CLI_C) - - /* Client, incoming ServerKeyExchange */ - struct - { - uint8_t preparation_done; - } srv_key_exchange; - - /* Client, incoming ServerHello */ - struct - { -#if defined(MBEDTLS_SSL_RENEGOTIATION) - int renego_info_seen; -#else - int dummy; -#endif - } srv_hello_in; - - /* Client, outgoing ClientKeyExchange */ - struct - { - uint8_t preparation_done; - } cli_key_exch_out; - - /* Client, outgoing Certificate Verify */ - struct - { - uint8_t preparation_done; - } crt_vrfy_out; - - /* Client, outgoing ClientHello */ - struct - { - uint8_t preparation_done; - } cli_hello_out; - -#endif /* MBEDTLS_SSL_CLI_C */ - } state_local; /* End of state-local variables. */ @@ -1222,7 +1182,7 @@ static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); -int mbedtls_ssl_tls13_process_finished_in( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ); int mbedtls_ssl_tls13_process_finished_out( mbedtls_ssl_context *ssl ); int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c30d5627df..6deab2a8c7 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1607,7 +1607,7 @@ static int ssl_tls1_3_process_server_finished( mbedtls_ssl_context *ssl ) { int ret; - ret = mbedtls_ssl_tls13_process_finished_in( ssl ); + ret = mbedtls_ssl_tls13_process_finished_message( ssl ); if( ret != 0 ) return( ret ); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 27cef72871..83f7202242 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -847,69 +847,37 @@ cleanup: /* * - * STATE HANDLING: Incoming Finished - * Overview + * STATE HANDLING: Incoming Finished message. */ - -static int ssl_tls13_preprocess_finished_in( mbedtls_ssl_context *ssl ); -static int ssl_tls13_finalize_finished_in( mbedtls_ssl_context *ssl ); -static int ssl_tls13_parse_finished_in( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t buflen ); - /* * Implementation */ -int mbedtls_ssl_tls13_process_finished_in( mbedtls_ssl_context *ssl ) -{ - int ret = 0; - unsigned char *buf; - size_t buflen; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished_in" ) ); - - /* Preprocessing step: Compute handshake digest */ - MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_in( ssl ) ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, - MBEDTLS_SSL_HS_FINISHED, - &buf, &buflen ) ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_in( ssl, buf, buflen ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_in( ssl ) ); - -cleanup: - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished_in" ) ); - return( ret ); -} - -static int ssl_tls13_preprocess_finished_in( mbedtls_ssl_context *ssl ) +static int ssl_tls13_prepare_finished_in( mbedtls_ssl_context *ssl ) { int ret; - ret = mbedtls_ssl_tls1_3_calculate_expected_finished( ssl, + ret = mbedtls_ssl_tls13_calculate_verify_data( ssl, ssl->handshake->state_local.finished_in.digest, sizeof( ssl->handshake->state_local.finished_in.digest ), &ssl->handshake->state_local.finished_in.digest_len, - ssl->conf->endpoint ^ 1 ); + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? + MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_calculate_expected_finished", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret ); return( ret ); } return( 0 ); } -static int ssl_tls13_parse_finished_in( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t buflen ) +static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) { /* Structural validation */ - if( buflen != ssl->handshake->state_local.finished_in.digest_len ) + if( (size_t)( end - buf ) != ssl->handshake->state_local.finished_in.digest_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); @@ -918,10 +886,10 @@ static int ssl_tls13_parse_finished_in( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - MBEDTLS_SSL_DEBUG_BUF( 4, "Hash (self-computed):", + MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):", ssl->handshake->state_local.finished_in.digest, ssl->handshake->state_local.finished_in.digest_len ); - MBEDTLS_SSL_DEBUG_BUF( 4, "Hash (received message):", buf, + MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf, ssl->handshake->state_local.finished_in.digest_len ); /* Semantic validation */ @@ -938,7 +906,7 @@ static int ssl_tls13_parse_finished_in( mbedtls_ssl_context *ssl, return( 0 ); } -static int ssl_tls13_finalize_finished_in_cli( mbedtls_ssl_context *ssl ) +static int ssl_tls13_finalize_server_finished_message( mbedtls_ssl_context *ssl ) { int ret = 0; mbedtls_ssl_key_set traffic_keys; @@ -985,8 +953,8 @@ static int ssl_tls13_finalize_finished_in_cli( mbedtls_ssl_context *ssl ) cleanup: - mbedtls_platform_zeroize( &traffic_keys, sizeof(mbedtls_ssl_key_set) ); - if( ret != 0) + mbedtls_platform_zeroize( &traffic_keys, sizeof( mbedtls_ssl_key_set ) ); + if( ret != 0 ) { mbedtls_free( transform_application ); MBEDTLS_SSL_PEND_FATAL_ALERT( @@ -996,17 +964,43 @@ cleanup: return( ret ); } -static int ssl_tls13_finalize_finished_in( mbedtls_ssl_context* ssl ) +static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context* ssl ) { if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - return( ssl_tls13_finalize_finished_in_cli( ssl ) ); + return( ssl_tls13_finalize_server_finished_message( ssl ) ); } return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ) +{ + int ret = 0; + unsigned char *buf; + size_t buflen; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished_in" ) ); + + /* Preprocessing step: Compute handshake digest */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_in( ssl ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, + MBEDTLS_SSL_HS_FINISHED, + &buf, &buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buflen ) ); + mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) ); + +cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished_in" ) ); + return( ret ); +} + + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 1f0dd8a841..8f089f580b 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -643,7 +643,7 @@ exit: return( ret ); } -int mbedtls_ssl_tls1_3_calculate_expected_finished( mbedtls_ssl_context* ssl, +int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, unsigned char* dst, size_t dst_len, size_t *actual_len, @@ -660,7 +660,7 @@ int mbedtls_ssl_tls1_3_calculate_expected_finished( mbedtls_ssl_context* ssl, const mbedtls_md_info_t* const md = mbedtls_md_info_from_type( md_type ); size_t const md_size = mbedtls_md_get_size( md ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls1_3_calculate_expected_finished" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) ); if( dst_len < md_size ) return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); @@ -686,7 +686,7 @@ int mbedtls_ssl_tls1_3_calculate_expected_finished( mbedtls_ssl_context* ssl, *actual_len = md_size; MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls1_3_calculate_expected_finished" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) ); exit: diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index fbc6e83c89..c5c3a34162 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -605,16 +605,17 @@ int mbedtls_ssl_tls1_3_generate_application_keys( mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys ); /** - * \brief Calculate content of TLS 1.3 Finished message. + * \brief Calculate the verify_data value for the client or server TLS 1.3 + * Finished message. * * \param ssl The SSL context to operate on. This must be in * key schedule stage \c Handshake, see * mbedtls_ssl_tls13_key_schedule_stage_application(). - * \param dst The address at which to write the Finished content. + * \param dst The address at which to write the verify_data value. * \param dst_len The size of \p dst in bytes. * \param actual_len The address at which to store the amount of data * actually written to \p dst upon success. - * \param from The endpoint the Finished message originates from: + * \param from The message to calculate the `verify_data` for: * - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message * - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message * @@ -625,7 +626,7 @@ int mbedtls_ssl_tls1_3_generate_application_keys( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_calculate_expected_finished( mbedtls_ssl_context *ssl, +int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, unsigned char *dst, size_t dst_len, size_t *actual_len,