From 24c0ec31f99500c8ce557b693f0eb988e5aa5ee8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 14:21:07 +0800 Subject: [PATCH 01/24] tls13: add get_handshake_transcript Signed-off-by: Jerry Yu --- library/ssl_misc.h | 7 +++ library/ssl_tls.c | 143 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index c338d79eec..604976f5fc 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1493,6 +1493,13 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len ); +/* Get handshake transcript */ +int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen ); + #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Write TLS 1.3 Signature Algorithm extension diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 360419240f..dc7b1e85c6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6978,4 +6978,147 @@ exit: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +#if defined(MBEDTLS_SHA384_C) +static int ssl_tls13_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen ) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + psa_hash_operation_t sha384_psa = psa_hash_operation_init(); + + if( dst_len < 48 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); + } + + status = psa_hash_finish( &sha384_psa, dst, dst_len, olen ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); + } + + *olen = 48; + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", dst, *olen ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); + return( 0 ); +#else /* MBEDTLS_USE_PSA_CRYPTO */ + int ret; + mbedtls_sha512_context sha512; + + if( dst_len < 48 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + + if( ( ret = mbedtls_sha512_finish( &sha512, dst ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_finish", ret ); + goto exit; + } + + *olen = 48; + +exit: + + mbedtls_sha512_free( &sha512 ); + return( ret ); +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +} +#endif /* MBEDTLS_SHA384_C */ + +#if defined(MBEDTLS_SHA256_C) +static int ssl_tls13_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen ) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + psa_hash_operation_t sha256_psa = psa_hash_operation_init(); + + if( dst_len < 32 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); + } + + status = psa_hash_finish( &sha256_psa, dst, dst_len, olen ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); + } + + *olen = 32; + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", dst, *olen ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); + return( 0 ); +#else /* MBEDTLS_USE_PSA_CRYPTO */ + int ret; + mbedtls_sha256_context sha256; + + if( dst_len < 32 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + + if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret ); + goto exit; + } + + *olen = 32; + +exit: + + mbedtls_sha256_free( &sha256 ); + return( ret ); +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +} +#endif /* MBEDTLS_SHA256_C */ + +int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen ) +{ +#if defined(MBEDTLS_SHA384_C) + if( md == MBEDTLS_MD_SHA384 ) + { + return( ssl_tls13_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); + } + else +#endif /* MBEDTLS_SHA512_C */ +#if defined(MBEDTLS_SHA256_C) + if( md == MBEDTLS_MD_SHA256 ) + { + return( ssl_tls13_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); + } + else +#endif /* MBEDTLS_SHA256_C */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +} + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #endif /* MBEDTLS_SSL_TLS_C */ From 89ea321d96e8727b00bbf6ea632a40586b88a502 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 14:31:24 +0800 Subject: [PATCH 02/24] tls13: add key_schedule_stage_early_data Signed-off-by: Jerry Yu --- library/ssl_misc.h | 7 +++++++ library/ssl_tls13_keys.c | 27 +++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 25 +++++++++++++++++++++++++ 3 files changed, 59 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 604976f5fc..5afdc4c5f8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -675,6 +675,13 @@ struct mbedtls_ssl_handshake_params int extensions_present; /*!< extension presence; Each bitfield represents an extension and defined as \c MBEDTLS_SSL_EXT_XXX */ + + union + { + unsigned char early [MBEDTLS_MD_MAX_SIZE]; + unsigned char handshake[MBEDTLS_MD_MAX_SIZE]; + unsigned char app [MBEDTLS_MD_MAX_SIZE]; + } tls13_master_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 7aec21dffe..b7beb125ca 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -820,4 +820,31 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } +int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ) +{ + int ret = 0; + + if( ssl->handshake->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; + const unsigned char *input = NULL; + size_t input_len = 0; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + input = ssl->handshake->psk; + input_len = ssl->handshake->psk_len; +#endif + ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, input, input_len, + ssl->handshake->tls13_master_secrets.early ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); + return( ret ); + } + + return( 0 ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index ca892b1665..592ba12a0f 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -531,4 +531,29 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, mbedtls_ssl_key_set const *traffic_keys, mbedtls_ssl_context *ssl ); +/* + * TLS 1.3 key schedule evolutions + * + * Early Data -> Handshake -> Application + * + * Small wrappers around mbedtls_ssl_tls1_3_evolve_secret(). + */ + +/** + * \brief Begin TLS 1.3 key schedule by calculating early secret + * from chosen PSK. + * + * The TLS 1.3 key schedule can be viewed as a simple state machine + * with states Initial -> Early -> Handshake -> Application, and + * this function represents the Initial -> Early transition. + * + * In the early stage, mbedtls_ssl_tls1_3_generate_early_data_keys() + * can be used to derive the 0-RTT traffic keys. + * + * \param ssl The SSL context to operate on. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 4925ef5da19db0f3482b59466bc15f80aab861f2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 14:42:55 +0800 Subject: [PATCH 03/24] tls13: add generate handshake keys Signed-off-by: Jerry Yu --- library/ssl_misc.h | 23 ++++++++ library/ssl_tls13_keys.c | 116 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 37 ++++++------- 3 files changed, 155 insertions(+), 21 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5afdc4c5f8..d9759af6c6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -478,6 +478,27 @@ struct mbedtls_ssl_key_set }; typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; +typedef struct +{ + unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_early_secrets; + +typedef struct +{ + unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_handshake_secrets; + +typedef struct +{ + unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_application_secrets; + /* * This structure contains the parameters only needed during handshake. */ @@ -682,6 +703,8 @@ struct mbedtls_ssl_handshake_params unsigned char handshake[MBEDTLS_MD_MAX_SIZE]; unsigned char app [MBEDTLS_MD_MAX_SIZE]; } tls13_master_secrets; + + mbedtls_ssl_tls1_3_handshake_secrets tls13_hs_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index b7beb125ca..5435a25a4c 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -847,4 +847,120 @@ int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ) return( 0 ); } +/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for + * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ +int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_md_type_t md_type; + mbedtls_md_info_t const *md_info; + size_t md_size; + + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; + + mbedtls_cipher_info_t const *cipher_info; + size_t keylen, ivlen; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); + + cipher_info = mbedtls_cipher_info_from_type( + ssl->handshake->ciphersuite_info->cipher ); + keylen = cipher_info->key_bitlen >> 3; + ivlen = cipher_info->iv_size; + + md_type = ssl->handshake->ciphersuite_info->mac; + md_info = mbedtls_md_info_from_type( md_type ); + md_size = mbedtls_md_get_size( md_info ); + + ret = mbedtls_ssl_tls13_get_handshake_transcript( ssl, md_type, + transcript, + sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_get_handshake_transcript", + ret ); + return( ret ); + } + + ret = mbedtls_ssl_tls1_3_derive_handshake_secrets( md_type, + ssl->handshake->tls13_master_secrets.handshake, + transcript, transcript_len, + &ssl->handshake->tls13_hs_secrets ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_early_secrets", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret", + ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, + md_size ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret", + ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, + md_size ); + + /* + * Export client handshake traffic secret + */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET, + ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET, + ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + + ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, + ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, + ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, + md_size, + keylen, ivlen, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key", + traffic_keys->server_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv", + traffic_keys->server_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) ); + +exit: + + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 592ba12a0f..7176dee0a2 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -70,27 +70,6 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ MBEDTLS_MD_MAX_SIZE -typedef struct -{ - unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_early_secrets; - -typedef struct -{ - unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_handshake_secrets; - -typedef struct -{ - unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_application_secrets; - /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. * @@ -556,4 +535,20 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * \returns A negative error code on failure. */ int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ); + +/** + * \brief Compute TLS 1.3 handshake traffic keys. + * + * \param ssl The SSL context to operate on. This must be in + * key schedule stage \c Handshake, see + * mbedtls_ssl_tls13_key_schedule_stage_handshake(). + * \param traffic_keys The address at which to store the handshake traffic key + * keys. This must be writable but may be uninitialized. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ); + #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 7bea4bac96227cd288ab79d744c7d0a12e0a9d77 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 15:06:18 +0800 Subject: [PATCH 04/24] tls13: add checksum of handshake message Signed-off-by: Jerry Yu --- library/ssl_misc.h | 8 ++++++++ library/ssl_tls13_generic.c | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d9759af6c6..4ccfbc52d5 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1523,6 +1523,14 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len ); +/* + * Update checksum of handshake message + */ +void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ); + /* Get handshake transcript */ int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, const mbedtls_md_type_t md, diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 5c20f29283..bac11787d8 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -66,6 +66,15 @@ cleanup: return( ret ); } +void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ) +{ + mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len ); + ssl->handshake->update_checksum( ssl, msg, msg_len ); +} + void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len ) From d3f73349a7b54507bc4becf960bea9ffc2132a3b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 15:42:32 +0800 Subject: [PATCH 05/24] tls13: add ecdh_read_public Signed-off-by: Jerry Yu --- library/ecdh.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++ library/ecp.c | 34 +++++++++++++++++++++++++++++++ library/ssl_misc.h | 18 +++++++++++++++++ 3 files changed, 102 insertions(+) diff --git a/library/ecdh.c b/library/ecdh.c index b72bd1fe08..b1d7c2a3b3 100644 --- a/library/ecdh.c +++ b/library/ecdh.c @@ -31,6 +31,7 @@ #include "mbedtls/ecdh.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "ssl_misc.h" #include "ecdh_misc.h" @@ -690,6 +691,55 @@ static int ecdh_calc_secret_internal( mbedtls_ecdh_context_mbed *ctx, return mbedtls_mpi_write_binary( &ctx->z, buf, *olen ); } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +static int ecdh_read_tls13_public_internal( mbedtls_ecdh_context_mbed *ctx, + const unsigned char *buf, + size_t blen ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const unsigned char *p = buf; + + if( ( ret = mbedtls_ecp_tls13_read_point( &ctx->grp, &ctx->Qp, &p, + blen ) ) != 0 ) + return( ret ); + + if( (size_t)( p - buf ) != blen ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + return( 0 ); +} + +/* + * Parse and import the client's TLS 1.3 public value + */ +int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, + const unsigned char *buf, size_t blen ) +{ + ECDH_VALIDATE_RET( ctx != NULL ); + ECDH_VALIDATE_RET( buf != NULL ); + +#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) + return( ecdh_read_tls13_public_internal( ctx, buf, blen ) ); +#else + switch( ctx->var ) + { +#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) + case MBEDTLS_ECDH_VARIANT_EVEREST: + return( mbedtls_everest_read_public( &ctx->ctx.everest_ecdh, + buf, blen ) ); +#endif + case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: + return( ecdh_read_tls13_public_internal( &ctx->ctx.mbed_ecdh, + buf, blen ) ); + default: + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } +#endif +} + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Derive and export the shared secret */ diff --git a/library/ecp.c b/library/ecp.c index 0212069c83..a49cc457bc 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -79,6 +79,7 @@ #include "bn_mul.h" #include "ecp_invasive.h" +#include "ssl_misc.h" #include @@ -1051,6 +1052,39 @@ cleanup: return( ret ); } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt, + const unsigned char **buf, size_t buf_len ) +{ + unsigned char data_len; + const unsigned char *buf_start; + ECP_VALIDATE_RET( grp != NULL ); + ECP_VALIDATE_RET( pt != NULL ); + ECP_VALIDATE_RET( buf != NULL ); + ECP_VALIDATE_RET( *buf != NULL ); + + if( buf_len < 3 ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + data_len = ( *( *buf ) << 8 ) | *( *buf+1 ); + *buf += 2; + + if( data_len < 1 || data_len > buf_len - 2 ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + /* + * Save buffer start for read_binary and update buf + */ + buf_start = *buf; + *buf += data_len; + + return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) ); +} + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Fast mod-p functions expect their argument to be in the 0..p^2 range. * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4ccfbc52d5..6206c6f5b1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1538,6 +1538,24 @@ int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen ); +#if defined(MBEDTLS_ECDH_C) +/* + * TLS 1.3 version of mbedtls_ecdh_read_public in ecdh.h + */ +int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, + const unsigned char *buf, + size_t blen ); +#endif /* MBEDTLS_ECDH_C */ + +#if defined(MBEDTLS_ECP_C) +/* + * TLS 1.3 version of mbedtls_ecp_tls_read_point in ecp.h + */ +int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt, + const unsigned char **buf, size_t len ); +#endif /* MBEDTLS_ECP_C */ + #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Write TLS 1.3 Signature Algorithm extension From c7875b5f11d400f00f4ee6f8ccc83ffd4756dd08 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 5 Sep 2021 21:05:50 +0800 Subject: [PATCH 06/24] add set in/out transform utils Signed-off-by: Jerry Yu --- library/ssl_misc.h | 8 ++++++++ library/ssl_msg.c | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6206c6f5b1..8b2d50d2f0 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -986,6 +986,14 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ); */ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); +/* set inbound transform of ssl context */ +void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, + mbedtls_ssl_transform *transform ); + +/* set outbound transform of ssl context */ +void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, + mbedtls_ssl_transform *transform ); + int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 2fe801a283..fcdd0249bc 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5551,6 +5551,23 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); } +void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, + mbedtls_ssl_transform *transform ) +{ + if( ssl->transform_in == transform ) + return; + + ssl->transform_in = transform; + mbedtls_platform_zeroize( ssl->in_ctr, 8 ); +} + +void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, + mbedtls_ssl_transform *transform ) +{ + ssl->transform_out = transform; + mbedtls_platform_zeroize( ssl->cur_out_ctr, 8 ); +} + #if defined(MBEDTLS_SSL_PROTO_DTLS) void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ) From 000f9760707bfc866e47d7a078b0b776bd7211d4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 14 Sep 2021 11:12:51 +0800 Subject: [PATCH 07/24] Rename get_handshake_transcript - Remove tls13 prefix - Remove TLS1_3 macro wrap Signed-off-by: Jerry Yu --- library/ssl_misc.h | 14 +++++++------- library/ssl_tls.c | 34 +++++++++++++++------------------- library/ssl_tls13_keys.c | 4 ++-- 3 files changed, 24 insertions(+), 28 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8b2d50d2f0..44bfcb0062 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1539,13 +1539,6 @@ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); -/* Get handshake transcript */ -int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, - const mbedtls_md_type_t md, - unsigned char *dst, - size_t dst_len, - size_t *olen ); - #if defined(MBEDTLS_ECDH_C) /* * TLS 1.3 version of mbedtls_ecdh_read_public in ecdh.h @@ -1577,4 +1570,11 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +/* Get handshake transcript */ +int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen ); + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index dc7b1e85c6..ae5a5b8026 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6978,13 +6978,11 @@ exit: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - #if defined(MBEDTLS_SHA384_C) -static int ssl_tls13_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, - unsigned char *dst, - size_t dst_len, - size_t *olen ) +static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; @@ -7039,10 +7037,10 @@ exit: #endif /* MBEDTLS_SHA384_C */ #if defined(MBEDTLS_SHA256_C) -static int ssl_tls13_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, - unsigned char *dst, - size_t dst_len, - size_t *olen ) +static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; @@ -7096,29 +7094,27 @@ exit: } #endif /* MBEDTLS_SHA256_C */ -int mbedtls_ssl_tls13_get_handshake_transcript( mbedtls_ssl_context *ssl, - const mbedtls_md_type_t md, - unsigned char *dst, - size_t dst_len, - size_t *olen ) +int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen ) { #if defined(MBEDTLS_SHA384_C) if( md == MBEDTLS_MD_SHA384 ) { - return( ssl_tls13_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); + return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); } else #endif /* MBEDTLS_SHA512_C */ #if defined(MBEDTLS_SHA256_C) if( md == MBEDTLS_MD_SHA256 ) { - return( ssl_tls13_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); + return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); } else #endif /* MBEDTLS_SHA256_C */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 5435a25a4c..7e65268196 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -875,14 +875,14 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, md_info = mbedtls_md_info_from_type( md_type ); md_size = mbedtls_md_get_size( md_info ); - ret = mbedtls_ssl_tls13_get_handshake_transcript( ssl, md_type, + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, transcript, sizeof( transcript ), &transcript_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls13_get_handshake_transcript", + "mbedtls_ssl_get_handshake_transcript", ret ); return( ret ); } From a63de352dc1b847c45fb618fe0c56c7ba8ebd20c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 15:42:32 +0800 Subject: [PATCH 08/24] Revert "tls13: add ecdh_read_public" This reverts commit 6a9d2ee4df88028e352e50d4f48687ce5b0f26ac. Signed-off-by: Jerry Yu --- library/ecdh.c | 50 ---------------------------------------------- library/ecp.c | 34 ------------------------------- library/ssl_misc.h | 18 ----------------- 3 files changed, 102 deletions(-) diff --git a/library/ecdh.c b/library/ecdh.c index b1d7c2a3b3..b72bd1fe08 100644 --- a/library/ecdh.c +++ b/library/ecdh.c @@ -31,7 +31,6 @@ #include "mbedtls/ecdh.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "ssl_misc.h" #include "ecdh_misc.h" @@ -691,55 +690,6 @@ static int ecdh_calc_secret_internal( mbedtls_ecdh_context_mbed *ctx, return mbedtls_mpi_write_binary( &ctx->z, buf, *olen ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - -static int ecdh_read_tls13_public_internal( mbedtls_ecdh_context_mbed *ctx, - const unsigned char *buf, - size_t blen ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const unsigned char *p = buf; - - if( ( ret = mbedtls_ecp_tls13_read_point( &ctx->grp, &ctx->Qp, &p, - blen ) ) != 0 ) - return( ret ); - - if( (size_t)( p - buf ) != blen ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - return( 0 ); -} - -/* - * Parse and import the client's TLS 1.3 public value - */ -int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, - const unsigned char *buf, size_t blen ) -{ - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - -#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_read_tls13_public_internal( ctx, buf, blen ) ); -#else - switch( ctx->var ) - { -#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) - case MBEDTLS_ECDH_VARIANT_EVEREST: - return( mbedtls_everest_read_public( &ctx->ctx.everest_ecdh, - buf, blen ) ); -#endif - case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: - return( ecdh_read_tls13_public_internal( &ctx->ctx.mbed_ecdh, - buf, blen ) ); - default: - return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - } -#endif -} - -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - /* * Derive and export the shared secret */ diff --git a/library/ecp.c b/library/ecp.c index a49cc457bc..0212069c83 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -79,7 +79,6 @@ #include "bn_mul.h" #include "ecp_invasive.h" -#include "ssl_misc.h" #include @@ -1052,39 +1051,6 @@ cleanup: return( ret ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - -int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt, - const unsigned char **buf, size_t buf_len ) -{ - unsigned char data_len; - const unsigned char *buf_start; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( pt != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( *buf != NULL ); - - if( buf_len < 3 ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - data_len = ( *( *buf ) << 8 ) | *( *buf+1 ); - *buf += 2; - - if( data_len < 1 || data_len > buf_len - 2 ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - /* - * Save buffer start for read_binary and update buf - */ - buf_start = *buf; - *buf += data_len; - - return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) ); -} - -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - /* * Fast mod-p functions expect their argument to be in the 0..p^2 range. * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 44bfcb0062..8c5a32d67a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1539,24 +1539,6 @@ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); -#if defined(MBEDTLS_ECDH_C) -/* - * TLS 1.3 version of mbedtls_ecdh_read_public in ecdh.h - */ -int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, - const unsigned char *buf, - size_t blen ); -#endif /* MBEDTLS_ECDH_C */ - -#if defined(MBEDTLS_ECP_C) -/* - * TLS 1.3 version of mbedtls_ecp_tls_read_point in ecp.h - */ -int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt, - const unsigned char **buf, size_t len ); -#endif /* MBEDTLS_ECP_C */ - #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Write TLS 1.3 Signature Algorithm extension From e3131ef7f34055748d11e1e252124cf6c561a899 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Sep 2021 13:14:15 +0800 Subject: [PATCH 09/24] fix various issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- library/ssl_msg.c | 2 +- library/ssl_tls13_keys.c | 36 ++++++++++++++++++++---------------- library/ssl_tls13_keys.h | 2 +- 4 files changed, 23 insertions(+), 19 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8c5a32d67a..1b5861c635 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1532,7 +1532,7 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, size_t total_hs_len ); /* - * Update checksum of handshake message + * Update checksum of handshake messages. */ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned hs_type, diff --git a/library/ssl_msg.c b/library/ssl_msg.c index fcdd0249bc..ea1d535a06 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5565,7 +5565,7 @@ void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { ssl->transform_out = transform; - mbedtls_platform_zeroize( ssl->cur_out_ctr, 8 ); + mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 7e65268196..bfc3103fcb 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -21,14 +21,16 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#include "mbedtls/hkdf.h" -#include "ssl_misc.h" -#include "ssl_tls13_keys.h" -#include "mbedtls/debug.h" - #include #include +#include "mbedtls/hkdf.h" +#include "mbedtls/debug.h" +#include "mbedtls/error.h" + +#include "ssl_misc.h" +#include "ssl_tls13_keys.h" + #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, @@ -820,24 +822,25 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } -int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ) +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { - int ret = 0; - + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_type_t md_type; + const unsigned char *input = NULL; + size_t input_len = 0; if( ssl->handshake->ciphersuite_info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; - const unsigned char *input = NULL; - size_t input_len = 0; + + md_type = ssl->handshake->ciphersuite_info->mac; #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) input = ssl->handshake->psk; input_len = ssl->handshake->psk_len; #endif ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, input, input_len, - ssl->handshake->tls13_master_secrets.early ); + ssl->handshake->tls13_master_secrets.early ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); @@ -876,9 +879,9 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, md_size = mbedtls_md_get_size( md_info ); ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, - sizeof( transcript ), - &transcript_len ); + transcript, + sizeof( transcript ), + &transcript_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, @@ -893,7 +896,8 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, &ssl->handshake->tls13_hs_secrets ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_early_secrets", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_handshake_secrets", + ret ); return( ret ); } diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 7176dee0a2..407b5d613d 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -534,7 +534,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls13_key_schedule_stage_early_data( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ); /** * \brief Compute TLS 1.3 handshake traffic keys. From 524314247686801c7fda1574ea2f00e6163e6e29 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Sep 2021 13:25:04 +0800 Subject: [PATCH 10/24] Add macro for length of input counter Signed-off-by: Jerry Yu --- library/ssl_msg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index ea1d535a06..36a3e202ff 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -54,6 +54,8 @@ #include "mbedtls/oid.h" #endif +#define MBEDTLS_SSL_IN_CTR_LEN 8 + static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); /* @@ -4791,7 +4793,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset( ssl->in_ctr, 0, 8 ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -5558,7 +5560,7 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, return; ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, 8 ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, From b65eb2f3cf6f170c838ac0f7d9acf9da0450f033 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Sep 2021 13:43:28 +0800 Subject: [PATCH 11/24] Revert "tls13: add generate handshake keys" This reverts commit f02ca4158674b974ae103849c43e0c92efc40e8c. Signed-off-by: Jerry Yu --- library/ssl_misc.h | 23 -------- library/ssl_tls13_keys.c | 117 --------------------------------------- library/ssl_tls13_keys.h | 36 +++++++----- 3 files changed, 21 insertions(+), 155 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 1b5861c635..fb261a0d6d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -478,27 +478,6 @@ struct mbedtls_ssl_key_set }; typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; -typedef struct -{ - unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_early_secrets; - -typedef struct -{ - unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_handshake_secrets; - -typedef struct -{ - unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_application_secrets; - /* * This structure contains the parameters only needed during handshake. */ @@ -703,8 +682,6 @@ struct mbedtls_ssl_handshake_params unsigned char handshake[MBEDTLS_MD_MAX_SIZE]; unsigned char app [MBEDTLS_MD_MAX_SIZE]; } tls13_master_secrets; - - mbedtls_ssl_tls1_3_handshake_secrets tls13_hs_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index bfc3103fcb..32b68666be 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -850,121 +850,4 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) return( 0 ); } -/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for - * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ -int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - mbedtls_md_type_t md_type; - mbedtls_md_info_t const *md_info; - size_t md_size; - - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; - size_t transcript_len; - - mbedtls_cipher_info_t const *cipher_info; - size_t keylen, ivlen; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - - cipher_info = mbedtls_cipher_info_from_type( - ssl->handshake->ciphersuite_info->cipher ); - keylen = cipher_info->key_bitlen >> 3; - ivlen = cipher_info->iv_size; - - md_type = ssl->handshake->ciphersuite_info->mac; - md_info = mbedtls_md_info_from_type( md_type ); - md_size = mbedtls_md_get_size( md_info ); - - ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, - sizeof( transcript ), - &transcript_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_get_handshake_transcript", - ret ); - return( ret ); - } - - ret = mbedtls_ssl_tls1_3_derive_handshake_secrets( md_type, - ssl->handshake->tls13_master_secrets.handshake, - transcript, transcript_len, - &ssl->handshake->tls13_hs_secrets ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_handshake_secrets", - ret ); - return( ret ); - } - - MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret", - ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, - md_size ); - - MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret", - ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, - md_size ); - - /* - * Export client handshake traffic secret - */ -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( ssl->f_export_keys != NULL ) - { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, - md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); - - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET, - ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, - md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); - } -#endif /* MBEDTLS_SSL_EXPORT_KEYS */ - - ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, - ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret, - ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret, - md_size, - keylen, ivlen, traffic_keys ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); - goto exit; - } - - MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key", - traffic_keys->client_write_key, - traffic_keys->key_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key", - traffic_keys->server_write_key, - traffic_keys->key_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv", - traffic_keys->client_write_iv, - traffic_keys->iv_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv", - traffic_keys->server_write_iv, - traffic_keys->iv_len); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) ); - -exit: - - return( ret ); -} - #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 407b5d613d..7a41db13dd 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -70,6 +70,27 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ MBEDTLS_MD_MAX_SIZE +typedef struct +{ + unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_early_secrets; + +typedef struct +{ + unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_handshake_secrets; + +typedef struct +{ + unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_application_secrets; + /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. * @@ -536,19 +557,4 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, */ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ); -/** - * \brief Compute TLS 1.3 handshake traffic keys. - * - * \param ssl The SSL context to operate on. This must be in - * key schedule stage \c Handshake, see - * mbedtls_ssl_tls13_key_schedule_stage_handshake(). - * \param traffic_keys The address at which to store the handshake traffic key - * keys. This must be writable but may be uninitialized. - * - * \returns \c 0 on success. - * \returns A negative error code on failure. - */ -int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ); - #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 92c1ca221f535dcfda4edd23f116836a3799743f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Sep 2021 18:56:10 +0800 Subject: [PATCH 12/24] fix likely typos error Signed-off-by: Jerry Yu --- library/ssl_msg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 36a3e202ff..b749d93173 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -54,7 +54,7 @@ #include "mbedtls/oid.h" #endif -#define MBEDTLS_SSL_IN_CTR_LEN 8 +#define SSL_CONTEXT_INPUT_COUNTER_LEN 8 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); @@ -4793,7 +4793,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, SSL_CONTEXT_INPUT_COUNTER_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -5560,7 +5560,7 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, return; ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, SSL_CONTEXT_INPUT_COUNTER_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, From 4836952f9d3805c10d8bc01fd3c659aa858e152a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 18 Sep 2021 16:09:01 +0800 Subject: [PATCH 13/24] fix tls1_3 prefix issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 10 +++++----- library/ssl_tls13_generic.c | 8 ++++---- library/ssl_tls13_keys.c | 4 ++-- library/ssl_tls13_keys.h | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index fb261a0d6d..ea891f44a5 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -681,7 +681,7 @@ struct mbedtls_ssl_handshake_params unsigned char early [MBEDTLS_MD_MAX_SIZE]; unsigned char handshake[MBEDTLS_MD_MAX_SIZE]; unsigned char app [MBEDTLS_MD_MAX_SIZE]; - } tls13_master_secrets; + } tls1_3_master_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -1511,10 +1511,10 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, /* * Update checksum of handshake messages. */ -void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len ); +void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index bac11787d8..c8f6dc797c 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -66,10 +66,10 @@ cleanup: return( ret ); } -void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len ) +void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ) { mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len ); ssl->handshake->update_checksum( ssl, msg, msg_len ); diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 32b68666be..2d504f0685 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -822,7 +822,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } -int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) +int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_type; @@ -840,7 +840,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) input_len = ssl->handshake->psk_len; #endif ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, input, input_len, - ssl->handshake->tls13_master_secrets.early ); + ssl->handshake->tls1_3_master_secrets.early ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 7a41db13dd..45b0fdfa4c 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -555,6 +555,6 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From e06f4532efffe9f0c7b717fdc23ff1752fce8ebd Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 23 Sep 2021 18:35:07 +0800 Subject: [PATCH 14/24] remove useless code Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 2d504f0685..cc94984063 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -835,10 +835,7 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) } md_type = ssl->handshake->ciphersuite_info->mac; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - input = ssl->handshake->psk; - input_len = ssl->handshake->psk_len; -#endif + ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, input, input_len, ssl->handshake->tls1_3_master_secrets.early ); if( ret != 0 ) From 957f0fa1f726b28ecd6715dede67bd586e1b1c3d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 24 Sep 2021 10:27:07 +0800 Subject: [PATCH 15/24] Add length macro for in_ctr Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 3 +++ library/ssl_msg.c | 14 ++++++-------- library/ssl_srv.c | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 725b156d5d..3f627139c8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -593,6 +593,9 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) +/* Length of in_ctr buffer in mbedtls_ssl_session */ +#define MBEDTLS_SSL_IN_CTR_LEN 8 + #ifdef __cplusplus extern "C" { #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index b749d93173..518cfeeef4 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -54,8 +54,6 @@ #include "mbedtls/oid.h" #endif -#define SSL_CONTEXT_INPUT_COUNTER_LEN 8 - static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); /* @@ -3651,7 +3649,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, #endif { unsigned i; - for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) + for( i = MBEDTLS_SSL_IN_CTR_LEN; i > mbedtls_ssl_ep_len( ssl ); i-- ) if( ++ssl->in_ctr[i - 1] != 0 ) break; @@ -4793,7 +4791,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->in_ctr, SSL_CONTEXT_INPUT_COUNTER_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -4883,17 +4881,17 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) * ssl_parse_record_header(). */ ssl->in_ctr = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->in_cid = ssl->in_ctr + 8; + ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_IN_CTR_LEN; ssl->in_len = ssl->in_cid; /* Default: no CID */ #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - ssl->in_len = ssl->in_ctr + 8; + ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_IN_CTR_LEN; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->in_iv = ssl->in_len + 2; } else #endif { - ssl->in_ctr = ssl->in_hdr - 8; + ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_IN_CTR_LEN; ssl->in_len = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->in_cid = ssl->in_len; @@ -5560,7 +5558,7 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, return; ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, SSL_CONTEXT_INPUT_COUNTER_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, diff --git a/library/ssl_srv.c b/library/ssl_srv.c index b8c4314846..147bb785de 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1220,7 +1220,7 @@ read_record_header: return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 ); + memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, MBEDTLS_SSL_IN_CTR_LEN - 2 ); #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) From 148165cc6f78086d72983a5d925bc2945e834d94 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 24 Sep 2021 23:20:59 +0800 Subject: [PATCH 16/24] Remove psa version of get_handshake_transcript Signed-off-by: Jerry Yu --- library/ssl_tls.c | 73 +++++++++++------------------------------------ 1 file changed, 17 insertions(+), 56 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ae5a5b8026..ab36f5d89f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6978,39 +6978,28 @@ exit: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen ) +{ + ((void) ssl); + ((void) md); + ((void) dst); + ((void) dst_len); + *olen = 0; + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); +} +#else /* MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_SHA384_C) static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, unsigned char *dst, size_t dst_len, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; - psa_hash_operation_t sha384_psa = psa_hash_operation_init(); - - if( dst_len < 48 ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); - status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); - if( status != PSA_SUCCESS ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); - return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); - } - - status = psa_hash_finish( &sha384_psa, dst, dst_len, olen ); - if( status != PSA_SUCCESS ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); - return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); - } - - *olen = 48; - MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", dst, *olen ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); - return( 0 ); -#else /* MBEDTLS_USE_PSA_CRYPTO */ int ret; mbedtls_sha512_context sha512; @@ -7032,7 +7021,6 @@ exit: mbedtls_sha512_free( &sha512 ); return( ret ); -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_SHA384_C */ @@ -7042,33 +7030,6 @@ static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; - psa_hash_operation_t sha256_psa = psa_hash_operation_init(); - - if( dst_len < 32 ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); - status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); - if( status != PSA_SUCCESS ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); - return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); - } - - status = psa_hash_finish( &sha256_psa, dst, dst_len, olen ); - if( status != PSA_SUCCESS ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); - return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); - } - - *olen = 32; - MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", dst, *olen ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); - return( 0 ); -#else /* MBEDTLS_USE_PSA_CRYPTO */ int ret; mbedtls_sha256_context sha256; @@ -7090,7 +7051,6 @@ exit: mbedtls_sha256_free( &sha256 ); return( ret ); -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_SHA256_C */ @@ -7116,5 +7076,6 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SHA256_C */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_SSL_TLS_C */ From 6ca7c7fd6b346d90312bbf906522ce2aefa38240 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 28 Sep 2021 18:51:40 +0800 Subject: [PATCH 17/24] Remove useless variables Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index cc94984063..b07c1c3b9e 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -826,8 +826,7 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_type; - const unsigned char *input = NULL; - size_t input_len = 0; + if( ssl->handshake->ciphersuite_info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); @@ -836,7 +835,7 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) md_type = ssl->handshake->ciphersuite_info->mac; - ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, input, input_len, + ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, NULL, 0, ssl->handshake->tls1_3_master_secrets.early ); if( ret != 0 ) { From d9a94fe3d096d488fb54688033c10fbcfd980001 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 28 Sep 2021 18:58:59 +0800 Subject: [PATCH 18/24] Add counter length macro Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 4 ++-- library/ssl_misc.h | 20 ++++++++++---------- library/ssl_msg.c | 34 ++++++++++++++++++---------------- library/ssl_srv.c | 3 ++- library/ssl_tls.c | 19 +++++++++++-------- 5 files changed, 43 insertions(+), 37 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3f627139c8..d2f4361388 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -594,7 +594,7 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) /* Length of in_ctr buffer in mbedtls_ssl_session */ -#define MBEDTLS_SSL_IN_CTR_LEN 8 +#define MBEDTLS_SSL_COUNTER_LEN 8 #ifdef __cplusplus extern "C" { @@ -1555,7 +1555,7 @@ struct mbedtls_ssl_context size_t MBEDTLS_PRIVATE(out_buf_len); /*!< length of output buffer */ #endif - unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[8]; /*!< Outgoing record sequence number. */ + unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[MBEDTLS_SSL_COUNTER_LEN]; /*!< Outgoing record sequence number. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index ea891f44a5..6f83fc3276 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -573,8 +573,8 @@ struct mbedtls_ssl_handshake_params flight being received */ mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for resending messages */ - unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter - for resending messages */ + unsigned char alt_out_ctr[MBEDTLS_SSL_COUNTER_LEN]; /*!< Alternative record epoch/counter + for resending messages */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* The state of CID configuration in this handshake. */ @@ -873,14 +873,14 @@ static inline int mbedtls_ssl_transform_uses_aead( typedef struct { - uint8_t ctr[8]; /* In TLS: The implicit record sequence number. - * In DTLS: The 2-byte epoch followed by - * the 6-byte sequence number. - * This is stored as a raw big endian byte array - * as opposed to a uint64_t because we rarely - * need to perform arithmetic on this, but do - * need it as a Byte array for the purpose of - * MAC computations. */ + uint8_t ctr[MBEDTLS_SSL_COUNTER_LEN]; /* In TLS: The implicit record sequence number. + * In DTLS: The 2-byte epoch followed by + * the 6-byte sequence number. + * This is stored as a raw big endian byte array + * as opposed to a uint64_t because we rarely + * need to perform arithmetic on this, but do + * need it as a Byte array for the purpose of + * MAC computations. */ uint8_t type; /* The record content type. */ uint8_t ver[2]; /* SSL/TLS version as present on the wire. * Convert to internal presentation of versions diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 518cfeeef4..25e3ca3ec2 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2117,9 +2117,9 @@ static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) ssl->handshake->alt_transform_out = tmp_transform; /* Swap epoch + sequence_number */ - memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 ); - memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 ); - memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); + memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, sizeof( ssl->handshake->alt_out_ctr ) ); /* Adjust to the newly activated transform */ mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); @@ -2562,7 +2562,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, ssl->conf->transport, ssl->out_hdr + 1 ); - memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 ); + memcpy( ssl->out_ctr, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); if( ssl->transform_out != NULL ) @@ -2574,7 +2574,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) rec.data_len = ssl->out_msglen; rec.data_offset = ssl->out_msg - rec.buf; - memcpy( &rec.ctr[0], ssl->out_ctr, 8 ); + memcpy( &rec.ctr[0], ssl->out_ctr, MBEDTLS_SSL_COUNTER_LEN ); mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, ssl->conf->transport, rec.ver ); rec.type = ssl->out_msgtype; @@ -3649,7 +3649,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, #endif { unsigned i; - for( i = MBEDTLS_SSL_IN_CTR_LEN; i > mbedtls_ssl_ep_len( ssl ); i-- ) + for( i = MBEDTLS_SSL_COUNTER_LEN; i > mbedtls_ssl_ep_len( ssl ); i-- ) if( ++ssl->in_ctr[i - 1] != 0 ) break; @@ -4791,7 +4791,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_COUNTER_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -4827,12 +4827,12 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, { ssl->out_ctr = ssl->out_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->out_cid = ssl->out_ctr + 8; + ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_COUNTER_LEN; ssl->out_len = ssl->out_cid; if( transform != NULL ) ssl->out_len += transform->out_cid_len; #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - ssl->out_len = ssl->out_ctr + 8; + ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_COUNTER_LEN; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->out_iv = ssl->out_len + 2; } @@ -4881,17 +4881,17 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) * ssl_parse_record_header(). */ ssl->in_ctr = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_IN_CTR_LEN; + ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_COUNTER_LEN; ssl->in_len = ssl->in_cid; /* Default: no CID */ #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_IN_CTR_LEN; + ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_COUNTER_LEN; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->in_iv = ssl->in_len + 2; } else #endif { - ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_IN_CTR_LEN; + ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_COUNTER_LEN; ssl->in_len = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->in_cid = ssl->in_len; @@ -5065,9 +5065,11 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) } in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, - ssl->conf->renego_period + ep_len, 8 - ep_len ); - out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len, - ssl->conf->renego_period + ep_len, 8 - ep_len ); + &ssl->conf->renego_period[ep_len], + MBEDTLS_SSL_COUNTER_LEN - ep_len ); + out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len], + &ssl->conf->renego_period[ep_len], + sizeof( ssl->cur_out_ctr ) - ep_len ); if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) { @@ -5558,7 +5560,7 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, return; ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_IN_CTR_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_COUNTER_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 147bb785de..79c160ea4a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1220,7 +1220,8 @@ read_record_header: return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, MBEDTLS_SSL_IN_CTR_LEN - 2 ); + memcpy( &ssl->cur_out_ctr[2], ssl->in_ctr + 2, + MBEDTLS_SSL_COUNTER_LEN - 2 ); #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ab36f5d89f..b22db47b5b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2820,10 +2820,13 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) /* Remember current epoch settings for resending */ ssl->handshake->alt_transform_out = ssl->transform_out; - memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 ); + memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, + sizeof( ssl->cur_out_ctr ) ); /* Set sequence_number to zero */ - memset( ssl->cur_out_ctr + 2, 0, 6 ); + mbedtls_platform_zeroize( &ssl->cur_out_ctr[2], + sizeof( ssl->cur_out_ctr ) - 2 ); + /* Increment epoch */ for( i = 2; i > 0; i-- ) @@ -2839,7 +2842,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset( ssl->cur_out_ctr, 0, 8 ); + mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); ssl->transform_out = ssl->transform_negotiate; ssl->session_out = ssl->session_negotiate; @@ -3324,7 +3327,7 @@ static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, ssl->out_msglen = 0; ssl->out_left = 0; memset( ssl->out_buf, 0, out_buf_len ); - memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); + mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); ssl->transform_out = NULL; #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -5778,7 +5781,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, used += 8; if( used <= buf_len ) { - memcpy( p, ssl->cur_out_ctr, 8 ); + memcpy( p, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); p += 8; } @@ -6035,11 +6038,11 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ssl->disable_datagram_packing = *p++; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if( (size_t)( end - p ) < 8 ) + if( (size_t)( end - p ) < sizeof( ssl->cur_out_ctr ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - memcpy( ssl->cur_out_ctr, p, 8 ); - p += 8; + memcpy( ssl->cur_out_ctr, p, sizeof( ssl->cur_out_ctr ) ); + p += sizeof( ssl->cur_out_ctr ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( (size_t)( end - p ) < 2 ) From d96a5c2d86ee01c61f3c8d8a16f16d351b72fc82 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 29 Sep 2021 17:46:51 +0800 Subject: [PATCH 19/24] Fix wrong usage of counter len macro Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 +- library/ssl_msg.c | 14 ++++++++------ library/ssl_srv.c | 2 +- library/ssl_tls.c | 9 ++++----- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d2f4361388..2b75267e84 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -593,7 +593,7 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) -/* Length of in_ctr buffer in mbedtls_ssl_session */ +/* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_COUNTER_LEN 8 #ifdef __cplusplus diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 25e3ca3ec2..e636762c53 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2101,7 +2101,7 @@ void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ) static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) { mbedtls_ssl_transform *tmp_transform; - unsigned char tmp_out_ctr[8]; + unsigned char tmp_out_ctr[MBEDTLS_SSL_COUNTER_LEN]; if( ssl->transform_out == ssl->handshake->alt_transform_out ) { @@ -2117,9 +2117,11 @@ static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) ssl->handshake->alt_transform_out = tmp_transform; /* Swap epoch + sequence_number */ - memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); - memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, sizeof( ssl->cur_out_ctr ) ); - memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, sizeof( ssl->handshake->alt_out_ctr ) ); + memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( tmp_out_ctr ) ); + memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, + sizeof( ssl->cur_out_ctr ) ); + memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, + sizeof( ssl->handshake->alt_out_ctr ) ); /* Adjust to the newly activated transform */ mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); @@ -2562,7 +2564,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, ssl->conf->transport, ssl->out_hdr + 1 ); - memcpy( ssl->out_ctr, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_COUNTER_LEN ); MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); if( ssl->transform_out != NULL ) @@ -2574,7 +2576,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) rec.data_len = ssl->out_msglen; rec.data_offset = ssl->out_msg - rec.buf; - memcpy( &rec.ctr[0], ssl->out_ctr, MBEDTLS_SSL_COUNTER_LEN ); + memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) ); mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, ssl->conf->transport, rec.ver ); rec.type = ssl->out_msgtype; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 79c160ea4a..e27fdff5e3 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1221,7 +1221,7 @@ read_record_header: } memcpy( &ssl->cur_out_ctr[2], ssl->in_ctr + 2, - MBEDTLS_SSL_COUNTER_LEN - 2 ); + sizeof( ssl->cur_out_ctr ) - 2 ); #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b22db47b5b..58b81ff26d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2821,7 +2821,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) /* Remember current epoch settings for resending */ ssl->handshake->alt_transform_out = ssl->transform_out; memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, - sizeof( ssl->cur_out_ctr ) ); + sizeof( ssl->handshake->alt_out_ctr ) ); /* Set sequence_number to zero */ mbedtls_platform_zeroize( &ssl->cur_out_ctr[2], @@ -5778,11 +5778,11 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - used += 8; + used += MBEDTLS_SSL_COUNTER_LEN; if( used <= buf_len ) { - memcpy( p, ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); - p += 8; + memcpy( p, ssl->cur_out_ctr, MBEDTLS_SSL_COUNTER_LEN ); + p += MBEDTLS_SSL_COUNTER_LEN; } #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -6040,7 +6040,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, if( (size_t)( end - p ) < sizeof( ssl->cur_out_ctr ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - memcpy( ssl->cur_out_ctr, p, sizeof( ssl->cur_out_ctr ) ); p += sizeof( ssl->cur_out_ctr ); From c1ddeef53aa547956f63a5da74f4e93f1865fa35 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 15:14:45 +0800 Subject: [PATCH 20/24] fix various issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 4 +--- library/ssl_msg.c | 3 --- library/ssl_tls.c | 20 +++++++++++--------- library/ssl_tls13_keys.h | 8 ++------ 4 files changed, 14 insertions(+), 21 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6f83fc3276..06351fc0c7 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1501,9 +1501,7 @@ int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl, size_t buf_len, size_t msg_len ); -/* - * Update checksum with handshake header - */ + void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len ); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index e636762c53..13a9e0ff31 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5558,9 +5558,6 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { - if( ssl->transform_in == transform ) - return; - ssl->transform_in = transform; mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_COUNTER_LEN ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 58b81ff26d..26cf6b3e09 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7062,20 +7062,22 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen ) { + switch( md ) + { + #if defined(MBEDTLS_SHA384_C) - if( md == MBEDTLS_MD_SHA384 ) - { + case MBEDTLS_MD_SHA384: return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); - } - else -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_SHA384_C */ + #if defined(MBEDTLS_SHA256_C) - if( md == MBEDTLS_MD_SHA256 ) - { + case MBEDTLS_MD_SHA256: return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); - } - else #endif /* MBEDTLS_SHA256_C */ + + default: + break; + } return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } #endif /* !MBEDTLS_USE_PSA_CRYPTO */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 45b0fdfa4c..866aae9117 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -534,22 +534,18 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, /* * TLS 1.3 key schedule evolutions * - * Early Data -> Handshake -> Application + * Early -> Handshake -> Application * * Small wrappers around mbedtls_ssl_tls1_3_evolve_secret(). */ /** - * \brief Begin TLS 1.3 key schedule by calculating early secret - * from chosen PSK. + * \brief Begin TLS 1.3 key schedule by calculating early secret. * * The TLS 1.3 key schedule can be viewed as a simple state machine * with states Initial -> Early -> Handshake -> Application, and * this function represents the Initial -> Early transition. * - * In the early stage, mbedtls_ssl_tls1_3_generate_early_data_keys() - * can be used to derive the 0-RTT traffic keys. - * * \param ssl The SSL context to operate on. * * \returns \c 0 on success. From ae0b2e2a2f5de804bf450ec7da12761c2f53af91 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 15:21:19 +0800 Subject: [PATCH 21/24] Rename counter_len Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 4 ++-- library/ssl_misc.h | 20 ++++++++++---------- library/ssl_msg.c | 25 ++++++++++++++----------- library/ssl_tls.c | 6 +++--- 4 files changed, 29 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2b75267e84..2c77dbed55 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -594,7 +594,7 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) /* Length in number of bytes of the TLS sequence number */ -#define MBEDTLS_SSL_COUNTER_LEN 8 +#define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 #ifdef __cplusplus extern "C" { @@ -1555,7 +1555,7 @@ struct mbedtls_ssl_context size_t MBEDTLS_PRIVATE(out_buf_len); /*!< length of output buffer */ #endif - unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[MBEDTLS_SSL_COUNTER_LEN]; /*!< Outgoing record sequence number. */ + unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Outgoing record sequence number. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 06351fc0c7..d194b0e1eb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -573,8 +573,8 @@ struct mbedtls_ssl_handshake_params flight being received */ mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for resending messages */ - unsigned char alt_out_ctr[MBEDTLS_SSL_COUNTER_LEN]; /*!< Alternative record epoch/counter - for resending messages */ + unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter + for resending messages */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* The state of CID configuration in this handshake. */ @@ -873,14 +873,14 @@ static inline int mbedtls_ssl_transform_uses_aead( typedef struct { - uint8_t ctr[MBEDTLS_SSL_COUNTER_LEN]; /* In TLS: The implicit record sequence number. - * In DTLS: The 2-byte epoch followed by - * the 6-byte sequence number. - * This is stored as a raw big endian byte array - * as opposed to a uint64_t because we rarely - * need to perform arithmetic on this, but do - * need it as a Byte array for the purpose of - * MAC computations. */ + uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. + * In DTLS: The 2-byte epoch followed by + * the 6-byte sequence number. + * This is stored as a raw big endian byte array + * as opposed to a uint64_t because we rarely + * need to perform arithmetic on this, but do + * need it as a Byte array for the purpose of + * MAC computations. */ uint8_t type; /* The record content type. */ uint8_t ver[2]; /* SSL/TLS version as present on the wire. * Convert to internal presentation of versions diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 13a9e0ff31..7fa0a56174 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2101,7 +2101,7 @@ void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ) static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) { mbedtls_ssl_transform *tmp_transform; - unsigned char tmp_out_ctr[MBEDTLS_SSL_COUNTER_LEN]; + unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; if( ssl->transform_out == ssl->handshake->alt_transform_out ) { @@ -2564,7 +2564,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, ssl->conf->transport, ssl->out_hdr + 1 ); - memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_COUNTER_LEN ); + memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); if( ssl->transform_out != NULL ) @@ -3651,9 +3651,12 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, #endif { unsigned i; - for( i = MBEDTLS_SSL_COUNTER_LEN; i > mbedtls_ssl_ep_len( ssl ); i-- ) + for( i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + i > mbedtls_ssl_ep_len( ssl ); i-- ) + { if( ++ssl->in_ctr[i - 1] != 0 ) break; + } /* The loop goes to its end iff the counter is wrapping */ if( i == mbedtls_ssl_ep_len( ssl ) ) @@ -4793,7 +4796,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_COUNTER_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -4829,12 +4832,12 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, { ssl->out_ctr = ssl->out_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_COUNTER_LEN; + ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; ssl->out_len = ssl->out_cid; if( transform != NULL ) ssl->out_len += transform->out_cid_len; #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_COUNTER_LEN; + ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->out_iv = ssl->out_len + 2; } @@ -4883,17 +4886,17 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) * ssl_parse_record_header(). */ ssl->in_ctr = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_COUNTER_LEN; + ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; ssl->in_len = ssl->in_cid; /* Default: no CID */ #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_COUNTER_LEN; + ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->in_iv = ssl->in_len + 2; } else #endif { - ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_COUNTER_LEN; + ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; ssl->in_len = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->in_cid = ssl->in_len; @@ -5068,7 +5071,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, &ssl->conf->renego_period[ep_len], - MBEDTLS_SSL_COUNTER_LEN - ep_len ); + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len ); out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len], &ssl->conf->renego_period[ep_len], sizeof( ssl->cur_out_ctr ) - ep_len ); @@ -5559,7 +5562,7 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_COUNTER_LEN ); + mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 26cf6b3e09..8c1fdd816e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5778,11 +5778,11 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - used += MBEDTLS_SSL_COUNTER_LEN; + used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; if( used <= buf_len ) { - memcpy( p, ssl->cur_out_ctr, MBEDTLS_SSL_COUNTER_LEN ); - p += MBEDTLS_SSL_COUNTER_LEN; + memcpy( p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); + p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; } #if defined(MBEDTLS_SSL_PROTO_DTLS) From d1ab2628444324a5784b813b1c9c2b53d296595b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 15:36:57 +0800 Subject: [PATCH 22/24] define max md size for tls1_3 Signed-off-by: Jerry Yu --- include/mbedtls/md.h | 4 ++++ library/ssl_misc.h | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index fa2b152f96..34f314f3f4 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -74,6 +74,10 @@ typedef enum { #define MBEDTLS_MD_MAX_BLOCK_SIZE 64 #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /** * Opaque struct. * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d194b0e1eb..b8361dbb65 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -678,9 +678,9 @@ struct mbedtls_ssl_handshake_params union { - unsigned char early [MBEDTLS_MD_MAX_SIZE]; - unsigned char handshake[MBEDTLS_MD_MAX_SIZE]; - unsigned char app [MBEDTLS_MD_MAX_SIZE]; + unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE]; + unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE]; } tls1_3_master_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From 88b756bacb410918b91897bdcd96973be54e6198 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 18:41:38 +0800 Subject: [PATCH 23/24] move tls1_3 max md size It should be internal definition Signed-off-by: Jerry Yu --- include/mbedtls/md.h | 4 ---- library/ssl_misc.h | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 34f314f3f4..fa2b152f96 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -74,10 +74,6 @@ typedef enum { #define MBEDTLS_MD_MAX_BLOCK_SIZE 64 #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - /** * Opaque struct. * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index b8361dbb65..76962d3fa6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -307,6 +307,10 @@ + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** * \brief Return the maximum fragment length (payload, in bytes) for From fd320e9a6e521650aab86126da9627aec55e4db0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 21:52:41 +0800 Subject: [PATCH 24/24] Replace zeroize with memset Signed-off-by: Jerry Yu --- library/ssl_msg.c | 6 +++--- library/ssl_tls.c | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 7fa0a56174..fdb647a508 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4796,7 +4796,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); + memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); mbedtls_ssl_update_in_pointers( ssl ); @@ -5562,14 +5562,14 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { ssl->transform_in = transform; - mbedtls_platform_zeroize( ssl->in_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); + memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); } void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { ssl->transform_out = transform; - mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8c1fdd816e..bf3ab09397 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2824,8 +2824,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) sizeof( ssl->handshake->alt_out_ctr ) ); /* Set sequence_number to zero */ - mbedtls_platform_zeroize( &ssl->cur_out_ctr[2], - sizeof( ssl->cur_out_ctr ) - 2 ); + memset( &ssl->cur_out_ctr[2], 0, sizeof( ssl->cur_out_ctr ) - 2 ); /* Increment epoch */ @@ -2842,7 +2841,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); ssl->transform_out = ssl->transform_negotiate; ssl->session_out = ssl->session_negotiate; @@ -3327,7 +3326,7 @@ static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, ssl->out_msglen = 0; ssl->out_left = 0; memset( ssl->out_buf, 0, out_buf_len ); - mbedtls_platform_zeroize( ssl->cur_out_ctr, sizeof( ssl->cur_out_ctr ) ); + memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); ssl->transform_out = NULL; #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)