mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-26 21:35:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls13: Add allowed extesions constants.

Browse Source 
- And refactor check_received_extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-10-31 13:20:57 +08:00
parent 7a485c1fdf
commit df0ad658a3
2 changed files with 66 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
library/ssl_misc.h
View File

@ -134,76 +134,83 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
* not specified for the message in which it appears, it MUST abort the handshake
* with an "illegal_parameter" alert.
*/
#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 )
/* Extensions that not recognized by TLS 1.3 */
#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED \
( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \
MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \
MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \
MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \
MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
/* RFC 8446 section 4.2. Allowed extensions for ClienHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
( MBEDTLS_SSL_EXT_SERVERNAME | \
MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
MBEDTLS_SSL_EXT_STATUS_REQUEST | \
MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
MBEDTLS_SSL_EXT_SIG_ALG | \
MBEDTLS_SSL_EXT_USE_SRTP | \
MBEDTLS_SSL_EXT_HEARTBEAT | \
MBEDTLS_SSL_EXT_ALPN | \
MBEDTLS_SSL_EXT_SCT | \
MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
MBEDTLS_SSL_EXT_PADDING | \
MBEDTLS_SSL_EXT_KEY_SHARE | \
MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \
MBEDTLS_SSL_EXT_EARLY_DATA | \
MBEDTLS_SSL_EXT_COOKIE | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \
MBEDTLS_SSL_EXT_CERT_AUTH | \
MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \
MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
MBEDTLS_SSL_EXT_UNRECOGNIZED )
( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
MBEDTLS_SSL_EXT_MASK( ALPN ) | \
MBEDTLS_SSL_EXT_MASK( SCT ) | \
MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_MASK( PADDING ) | \
MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \
MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \
MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \
MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
( MBEDTLS_SSL_EXT_SERVERNAME | \
MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
MBEDTLS_SSL_EXT_USE_SRTP | \
MBEDTLS_SSL_EXT_HEARTBEAT | \
MBEDTLS_SSL_EXT_ALPN | \
MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
MBEDTLS_SSL_EXT_EARLY_DATA )
( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
MBEDTLS_SSL_EXT_MASK( ALPN ) | \
MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
MBEDTLS_SSL_EXT_SIG_ALG | \
MBEDTLS_SSL_EXT_SCT | \
MBEDTLS_SSL_EXT_CERT_AUTH | \
MBEDTLS_SSL_EXT_OID_FILTERS | \
MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
MBEDTLS_SSL_EXT_UNRECOGNIZED )
( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
MBEDTLS_SSL_EXT_MASK( SCT ) | \
MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \
MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for Certificate */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
MBEDTLS_SSL_EXT_SCT )
( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_MASK( SCT ) )
/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
( MBEDTLS_SSL_EXT_KEY_SHARE | \
MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
( MBEDTLS_SSL_EXT_KEY_SHARE | \
MBEDTLS_SSL_EXT_COOKIE | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
( MBEDTLS_SSL_EXT_EARLY_DATA | \
MBEDTLS_SSL_EXT_UNRECOGNIZED )
( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/*
* Helper macros for function call with return check.

25
library/ssl_tls13_generic.c
View File

@ -1685,28 +1685,22 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
* with an "illegal_parameter" alert.
*
*/
int mbedtls_ssl_tls13_check_received_extension(
mbedtls_ssl_context *ssl,
int hs_msg_type,
unsigned int received_extension_type,
uint32_t hs_msg_allowed_extensions_mask )
{
#if defined(MBEDTLS_DEBUG_C)
const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
#endif
uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );
uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
received_extension_type );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "%s : received %s(%x) extension",
hs_msg_name,
mbedtls_tls13_get_extension_name( received_extension_type ),
(unsigned int)received_extension_type ) );
MBEDTLS_SSL_PRINT_EXT_TYPE(
3, hs_msg_type, received_extension_type, "received" );
if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "%s : forbidden extension received.", hs_msg_name ) );
MBEDTLS_SSL_PRINT_EXT_TYPE(
3, hs_msg_type, received_extension_type, "is illegal" );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@ -1721,7 +1715,7 @@ int mbedtls_ssl_tls13_check_received_extension(
switch( hs_msg_type )
{
case MBEDTLS_SSL_HS_SERVER_HELLO:
case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
case MBEDTLS_SSL_HS_CERTIFICATE:
/* Check if the received extension is sent by peer message.*/
@ -1732,8 +1726,8 @@ int mbedtls_ssl_tls13_check_received_extension(
return( 0 );
}
MBEDTLS_SSL_DEBUG_MSG(
3, ( "%s : unexpected extension received.", hs_msg_name ) );
MBEDTLS_SSL_PRINT_EXT_TYPE(
3, hs_msg_type, received_extension_type, "is unsupported" );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
@ -1741,3 +1735,4 @@ int mbedtls_ssl_tls13_check_received_extension(
}
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */