From 89662042328410cd98ca01a0226ec8a275d63a44 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 20:20:18 +0800 Subject: [PATCH 01/17] fix printf fmt warning Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 51977c79941c..c8400095e332 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -708,7 +708,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( if( diff > MBEDTLS_SSL_TICKET_AGE_TOLERANCE ) { MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Ticket age outside tolerance window ( diff=%lld )", + ( "Ticket age outside tolerance window ( diff=%ld )", diff ) ); ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; } @@ -724,7 +724,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( else { MBEDTLS_SSL_DEBUG_MSG( 3, - ( "0-RTT is disabled ( diff=%lld exceeds "\ + ( "0-RTT is disabled ( diff=%ld exceeds "\ "MBEDTLS_SSL_EARLY_DATA_MAX_DELAY )", diff ) ); ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; From 96378bf87889fc59d76503ea8bf75af5b14bc545 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 13 Aug 2021 21:55:16 +0800 Subject: [PATCH 02/17] fix compile error without 0-rtt and mps Change-Id: Ibba188d13b15eb5cf1d5ecc7e9032b9044a98f22 Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index ea2487b80b07..56a8c3a50e40 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -178,10 +178,12 @@ int ssl_write_early_data_process( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ #else /* MBEDTLS_ZERO_RTT */ +#if defined(MBEDTLS_SSL_USE_MPS) ((void) buf); ((void) buf_len); ((void) msg); ((void) msg_len); +#endif /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); From d3d8e0276640c0be080587771ae6c757e9a0186e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 16 Aug 2021 13:44:36 +0800 Subject: [PATCH 03/17] Add early data config option Change-Id: Iec27c917a35a375adb16e82236e8abaaee00517a CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ffaa4e3eaf3d..b8eb0ff5f9cc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1528,6 +1528,14 @@ */ #define MBEDTLS_ZERO_RTT +/** +* \def MBEDTLS_TLS13_EARLY_DATA +* +* Allows to add extension early_data for TLS 1.3 +* +*/ +#define MBEDTLS_TLS13_EARLY_DATA + /** * \def MBEDTLS_SSL_DEBUG_HANDSHAKE_HASHES * From d32c48740cf98cd7a90bd985e91c986ff287f2c4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 16 Aug 2021 13:53:03 +0800 Subject: [PATCH 04/17] Wrap early data relative codes change the state machine if early data is not enabled Change-Id: Iede5ab0dee6158110ac33976536117681d1d4a71 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 5 +++-- library/ssl_tls13_client.c | 26 ++++++++++++++------------ library/ssl_tls13_generic.c | 16 ++++++++++++++-- library/ssl_tls13_server.c | 22 +++++++++++++--------- 4 files changed, 44 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 900e16578a17..3ed3e22d836f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -648,8 +648,10 @@ typedef enum MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_SECOND_CLIENT_HELLO, MBEDTLS_SSL_SECOND_SERVER_HELLO, - MBEDTLS_SSL_EARLY_DATA, +#if defined(MBEDTLS_TLS13_EARLY_DATA) + MBEDTLS_SSL_EARLY_APP_DATA, MBEDTLS_SSL_END_OF_EARLY_DATA, +#endif MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK, @@ -661,7 +663,6 @@ typedef enum MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HRR, #endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ - MBEDTLS_SSL_EARLY_APP_DATA #endif } mbedtls_ssl_states; diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 56a8c3a50e40..9c7136738d0e 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1408,8 +1408,10 @@ static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO ); -#else +#elif defined(MBEDTLS_TLS13_EARLY_DATA) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); #endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ return( 0 ); @@ -3947,10 +3949,20 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) ret = ssl_client_hello_process( ssl ); break; +#if defined(MBEDTLS_TLS13_EARLY_DATA) case MBEDTLS_SSL_EARLY_APP_DATA: ret = ssl_write_early_data_process( ssl ); break; - + /* + * ==> (EndOfEarlyData) + * (Certificate) + * (CertificateVerify) + * (Finished) + */ + case MBEDTLS_SSL_END_OF_EARLY_DATA: + ret = ssl_write_end_of_early_data_process( ssl ); + break; +#endif /* MBEDTLS_TLS13_EARLY_DATA */ /* * <== ServerHello / HelloRetryRequest * EncryptedExtensions @@ -3983,16 +3995,6 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) ret = mbedtls_ssl_finished_in_process( ssl ); break; - /* - * ==> (EndOfEarlyData) - * (Certificate) - * (CertificateVerify) - * (Finished) - */ - case MBEDTLS_SSL_END_OF_EARLY_DATA: - ret = ssl_write_end_of_early_data_process( ssl ); - break; - case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = mbedtls_ssl_write_certificate_process( ssl ); break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 134fbb50231b..b58f39caa1ca 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -383,7 +383,11 @@ static int ssl_write_change_cipher_spec_postprocess( mbedtls_ssl_context* ssl ) switch( ssl->state ) { case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: +#if defined(MBEDTLS_TLS13_EARLY_DATA) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); +#endif break; case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); @@ -2269,8 +2273,11 @@ static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl ) if( ret != 0 ) return( ret ); #endif /* MBEDTLS_SSL_USE_MPS */ - +#if defined(MBEDTLS_TLS13_EARLY_DATA) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); +#endif } else #endif /* MBEDTLS_SSL_SRV_C */ @@ -2457,8 +2464,13 @@ static int ssl_finished_in_postprocess_cli( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); #endif /* MBEDTLS_SSL_USE_MPS */ - +#if defined(MBEDTLS_TLS13_EARLY_DATA) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA ); +#elif defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); +#endif return( 0 ); } #endif /* MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index c8400095e332..da4919e4e3ed 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1803,16 +1803,16 @@ static int ssl_early_data_fetch( mbedtls_ssl_context* ssl, size_t* buflen ); #endif /* MBEDTLS_SSL_USE_MPS */ #endif /* MBEDTLS_ZERO_RTT */ - +#if defined(MBEDTLS_TLS13_EARLY_DATA) static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ); - +#endif #if defined(MBEDTLS_ZERO_RTT) /* Parse early data send by the peer. */ static int ssl_read_early_data_parse( mbedtls_ssl_context* ssl, unsigned char const* buf, size_t buflen ); #endif /* MBEDTLS_ZERO_RTT */ - +#if defined(MBEDTLS_TLS13_EARLY_DATA) /* Update the state after handling the incoming early data message. */ static int ssl_read_early_data_postprocess( mbedtls_ssl_context* ssl ); @@ -1873,6 +1873,7 @@ int ssl_read_early_data_process( mbedtls_ssl_context* ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse early data" ) ); return( ret ); } +#endif #if defined(MBEDTLS_ZERO_RTT) #if defined(MBEDTLS_SSL_USE_MPS) @@ -1923,11 +1924,13 @@ static int ssl_early_data_fetch( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_ZERO_RTT */ #if !defined(MBEDTLS_ZERO_RTT) +#if defined(MBEDTLS_TLS13_EARLY_DATA) static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ) { ((void) ssl); return( SSL_EARLY_DATA_SKIP ); } +#endif #else /* MBEDTLS_ZERO_RTT */ static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ) { @@ -2002,11 +2005,13 @@ static int ssl_read_early_data_parse( mbedtls_ssl_context* ssl, } #endif /* MBEDTLS_ZERO_RTT */ +#if defined(MBEDTLS_TLS13_EARLY_DATA) static int ssl_read_early_data_postprocess( mbedtls_ssl_context* ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA ); return ( 0 ); } +#endif /* MBEDTLS_TLS13_EARLY_DATA */ /* @@ -3931,6 +3936,7 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) break; +#if defined(MBEDTLS_TLS13_EARLY_DATA) /* ----- WRITE EARLY APP DATA ----*/ case MBEDTLS_SSL_EARLY_APP_DATA: @@ -3940,9 +3946,11 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_early_data_process", ret ); return ( ret ); } - break; - + case MBEDTLS_SSL_END_OF_EARLY_DATA: + ret = ssl_read_end_of_early_data_process( ssl ); + break; +#endif /* ----- WRITE HELLO RETRY REQUEST ----*/ case MBEDTLS_SSL_HELLO_RETRY_REQUEST: @@ -4064,10 +4072,6 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) ret = mbedtls_ssl_read_certificate_verify_process( ssl ); break; - case MBEDTLS_SSL_END_OF_EARLY_DATA: - ret = ssl_read_end_of_early_data_process( ssl ); - break; - /* ----- READ FINISHED ----*/ case MBEDTLS_SSL_CLIENT_FINISHED: From 0ed9f12feefc173a1f7ab923c2f64c89f80f781e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 12 Aug 2021 14:50:37 +0800 Subject: [PATCH 05/17] Add state to name debug function Change-Id: I015ae35a141a8b99352f5b90218fe919d7bbdc55 Signed-off-by: Jerry Yu --- include/mbedtls/debug.h | 3 +++ library/debug.c | 47 ++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_client.c | 2 +- library/ssl_tls13_server.c | 2 +- 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 0aed59619c64..a013fb169637 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -308,4 +308,7 @@ void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level, } #endif +const char * mbedtls_debug_get_state_string( mbedtls_ssl_states stat); + + #endif /* debug.h */ diff --git a/library/debug.c b/library/debug.c index fa60d13f3028..c804a4c36b86 100644 --- a/library/debug.c +++ b/library/debug.c @@ -419,4 +419,51 @@ void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level, } #endif /* MBEDTLS_ECDH_C */ +const char * mbedtls_debug_get_state_string( mbedtls_ssl_states stat) +{ + static const char * stat_str[]={ + [MBEDTLS_SSL_HELLO_REQUEST] ="MBEDTLS_SSL_HELLO_REQUEST", + [MBEDTLS_SSL_CLIENT_HELLO] ="MBEDTLS_SSL_CLIENT_HELLO", + [MBEDTLS_SSL_SERVER_HELLO] ="MBEDTLS_SSL_SERVER_HELLO", + [MBEDTLS_SSL_SERVER_CERTIFICATE] ="MBEDTLS_SSL_SERVER_CERTIFICATE", + [MBEDTLS_SSL_SERVER_KEY_EXCHANGE] ="MBEDTLS_SSL_SERVER_KEY_EXCHANGE", + [MBEDTLS_SSL_CERTIFICATE_REQUEST] ="MBEDTLS_SSL_CERTIFICATE_REQUEST", + [MBEDTLS_SSL_SERVER_HELLO_DONE] ="MBEDTLS_SSL_SERVER_HELLO_DONE", + [MBEDTLS_SSL_CLIENT_CERTIFICATE] ="MBEDTLS_SSL_CLIENT_CERTIFICATE", + [MBEDTLS_SSL_CLIENT_KEY_EXCHANGE] ="MBEDTLS_SSL_CLIENT_KEY_EXCHANGE", + [MBEDTLS_SSL_CERTIFICATE_VERIFY] ="MBEDTLS_SSL_CERTIFICATE_VERIFY", + [MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC] ="MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC", + [MBEDTLS_SSL_CLIENT_FINISHED] ="MBEDTLS_SSL_CLIENT_FINISHED", + [MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC] ="MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC", + [MBEDTLS_SSL_SERVER_FINISHED] ="MBEDTLS_SSL_SERVER_FINISHED", + [MBEDTLS_SSL_FLUSH_BUFFERS] ="MBEDTLS_SSL_FLUSH_BUFFERS", + [MBEDTLS_SSL_HANDSHAKE_WRAPUP] ="MBEDTLS_SSL_HANDSHAKE_WRAPUP", + [MBEDTLS_SSL_HANDSHAKE_OVER] ="MBEDTLS_SSL_HANDSHAKE_OVER", + [MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET] ="MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET", + [MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET_FLUSH] ="MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET_FLUSH", + [MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT] ="MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT", +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + [MBEDTLS_SSL_HELLO_RETRY_REQUEST] ="MBEDTLS_SSL_HELLO_RETRY_REQUEST", + [MBEDTLS_SSL_SECOND_CLIENT_HELLO] ="MBEDTLS_SSL_SECOND_CLIENT_HELLO", + [MBEDTLS_SSL_SECOND_SERVER_HELLO] ="MBEDTLS_SSL_SECOND_SERVER_HELLO", + [MBEDTLS_SSL_EARLY_APP_DATA] ="MBEDTLS_SSL_EARLY_APP_DATA", + [MBEDTLS_SSL_END_OF_EARLY_DATA] ="MBEDTLS_SSL_END_OF_EARLY_DATA", + [MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY] ="MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY", + [MBEDTLS_SSL_ENCRYPTED_EXTENSIONS] ="MBEDTLS_SSL_ENCRYPTED_EXTENSIONS", + [MBEDTLS_SSL_HANDSHAKE_FINISH_ACK] ="MBEDTLS_SSL_HANDSHAKE_FINISH_ACK", + [MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET] ="MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET", +#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) + [MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO] ="MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO", + [MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED] ="MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED", + [MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO] ="MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO", + [MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO] ="MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO", + [MBEDTLS_SSL_SERVER_CCS_AFTER_HRR] ="MBEDTLS_SSL_SERVER_CCS_AFTER_HRR", +#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif + }; + if( stat < 0 || stat >= sizeof(stat_str)/sizeof(stat_str[0]) ) + return( "null" ); + return( stat_str[stat] ? stat_str[stat] : "null" ); +} + #endif /* MBEDTLS_DEBUG_C */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9c7136738d0e..9d998312a497 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -3930,7 +3930,7 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "Handshake completed but ssl->handshake is NULL.\n" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %s(%d)", mbedtls_debug_get_state_string(ssl->state), ssl->state ) ); if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) return( ret ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index da4919e4e3ed..46d564b08e15 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3901,7 +3901,7 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %s(%d)", mbedtls_debug_get_state_string(ssl->state), ssl->state ) ); #if !defined(MBEDTLS_SSL_USE_MPS) if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) From dfde1e86b009210b6323d918e6ff914d94e46def Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 16 Aug 2021 13:53:38 +0800 Subject: [PATCH 06/17] modify stat to str functions Change-Id: I6de197161d012960c391503db3e26db9b1342ff1 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/debug.c b/library/debug.c index c804a4c36b86..5eb31c1618ff 100644 --- a/library/debug.c +++ b/library/debug.c @@ -446,8 +446,10 @@ const char * mbedtls_debug_get_state_string( mbedtls_ssl_states stat) [MBEDTLS_SSL_HELLO_RETRY_REQUEST] ="MBEDTLS_SSL_HELLO_RETRY_REQUEST", [MBEDTLS_SSL_SECOND_CLIENT_HELLO] ="MBEDTLS_SSL_SECOND_CLIENT_HELLO", [MBEDTLS_SSL_SECOND_SERVER_HELLO] ="MBEDTLS_SSL_SECOND_SERVER_HELLO", +#if defined(MBEDTLS_TLS13_EARLY_DATA) [MBEDTLS_SSL_EARLY_APP_DATA] ="MBEDTLS_SSL_EARLY_APP_DATA", [MBEDTLS_SSL_END_OF_EARLY_DATA] ="MBEDTLS_SSL_END_OF_EARLY_DATA", +#endif [MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY] ="MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY", [MBEDTLS_SSL_ENCRYPTED_EXTENSIONS] ="MBEDTLS_SSL_ENCRYPTED_EXTENSIONS", [MBEDTLS_SSL_HANDSHAKE_FINISH_ACK] ="MBEDTLS_SSL_HANDSHAKE_FINISH_ACK", From d5cddcc7b639c0f838f520ff6cfff56f76907d2c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 17 Aug 2021 17:09:16 +0800 Subject: [PATCH 07/17] fix build fail without session ticket Change-Id: Ic8dd4967c9b11de41d2357a78303d9f6b03684a4 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 ++ library/ssl_tls13_client.c | 3 ++- library/ssl_tls13_server.c | 11 ++++++----- tests/suites/test_suite_ssl.function | 14 ++++++++------ 4 files changed, 18 insertions(+), 12 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 99c9e7ed402a..e361151785bd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1474,6 +1474,7 @@ static inline int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, ptrs_present = 1; } +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* Check if a ticket has been configured. */ if( ssl->session_negotiate != NULL && ssl->session_negotiate->ticket != NULL ) @@ -1487,6 +1488,7 @@ static inline int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, } return( 0 ); } +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ /* Check if an external PSK has been configured. */ if( ssl->conf->psk != NULL ) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9d998312a497..f7ce26822fc9 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -4007,6 +4007,7 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) ret = mbedtls_ssl_finished_out_process( ssl ); break; +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* * <== NewSessionTicket */ @@ -4018,7 +4019,7 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; break; - +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ /* * Injection of dummy-CCS's for middlebox compatibility */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 46d564b08e15..68ac38a0f9ec 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -4099,22 +4099,22 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ mbedtls_ssl_handshake_wrapup_tls13( ssl ); +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); +#endif break; - case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: - #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - + case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: ret = ssl_write_new_session_ticket_process( ssl ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_new_session_ticket ", ret ); return( ret ); } -#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ - break; case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET_FLUSH: @@ -4123,6 +4123,7 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) return( ret ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); break; +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8e02b4538835..426f6f0e191a 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1431,6 +1431,7 @@ cleanup: return( ret ); } +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* * Populate a session structure for serialization tests. * Choose dummy values, mostly non-0 to distinguish from the init default. @@ -1515,6 +1516,7 @@ static int ssl_populate_session_tls12( mbedtls_ssl_session *session, return( 0 ); } +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ /* * Perform data exchanging between \p ssl_1 and \p ssl_2 and check if the @@ -3888,7 +3890,7 @@ void ssl_tls1_3_derive_application_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_tls1_3_derive_resumption_secrets( int hash_alg, data_t *secret, data_t *transcript, @@ -3991,7 +3993,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_serialize_session_save_load( int ticket_len, char *crt_file ) { mbedtls_ssl_session original, restored; @@ -4089,7 +4091,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_serialize_session_load_save( int ticket_len, char *crt_file ) { mbedtls_ssl_session session; @@ -4139,7 +4141,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_serialize_session_save_buf_size( int ticket_len, char *crt_file ) { mbedtls_ssl_session session; @@ -4175,7 +4177,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_serialize_session_load_buf_size( int ticket_len, char *crt_file ) { mbedtls_ssl_session session; @@ -4217,7 +4219,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_NEW_SESSION_TICKET */ void ssl_session_serialize_version_check( int corrupt_major, int corrupt_minor, int corrupt_patch, From 51d405803d2545df1dd9cfa51fba960371b39949 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 23 Aug 2021 09:55:42 +0800 Subject: [PATCH 08/17] fix compile warnings in encrypt extensions if all extensions are disabled, it reports unused variable or parameter error CustomizedGitHooks: yes Change-Id: I74cffec7b0bb9d4e11d33414d27ad90758e630cf Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 68ac38a0f9ec..005fba898150 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3085,14 +3085,31 @@ static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, size_t buflen, size_t* olen ) { + + + size_t enc_ext_len; + unsigned char *p, *len; + +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) || \ + defined(MBEDTLS_SSL_ALPN) || \ + defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) || \ + defined(MBEDTLS_ZERO_RTT) int ret; - size_t n, enc_ext_len; - unsigned char *p, *end, *len; + size_t n; + unsigned char *end; + end = buf + buflen; +#else + ((void) ssl); + ((void) buflen); +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION || + MBEDTLS_SSL_ALPN || + MBEDTLS_SSL_MAX_FRAGMENT_LENGTH || + MBEDTLS_ZERO_RTT */ /* If all extensions are disabled then olen is 0. */ *olen = 0; - end = buf + buflen; + p = buf; /* From 3f31e22658fd7e62d84c9c630e3e042051b062dc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 19 Aug 2021 13:56:13 +0800 Subject: [PATCH 09/17] fix build and test fail without ticket and cookie Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 ++ library/debug.c | 2 ++ library/ssl_misc.h | 1 - library/ssl_tls13_client.c | 42 +++++++++++++++++++++++++++++++++++++- library/ssl_tls13_server.c | 1 - 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3ed3e22d836f..084df255971f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -655,7 +655,9 @@ typedef enum MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK, +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET, +#endif #if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, diff --git a/library/debug.c b/library/debug.c index 5eb31c1618ff..ea1e71ab79e0 100644 --- a/library/debug.c +++ b/library/debug.c @@ -453,7 +453,9 @@ const char * mbedtls_debug_get_state_string( mbedtls_ssl_states stat) [MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY] ="MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY", [MBEDTLS_SSL_ENCRYPTED_EXTENSIONS] ="MBEDTLS_SSL_ENCRYPTED_EXTENSIONS", [MBEDTLS_SSL_HANDSHAKE_FINISH_ACK] ="MBEDTLS_SSL_HANDSHAKE_FINISH_ACK", +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) [MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET] ="MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET", +#endif #if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) [MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO] ="MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO", [MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED] ="MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED", diff --git a/library/ssl_misc.h b/library/ssl_misc.h index e361151785bd..a526a164822d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1473,7 +1473,6 @@ static inline int mbedtls_ssl_get_psk_to_offer( const mbedtls_ssl_context *ssl, { ptrs_present = 1; } - #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* Check if a ticket has been configured. */ if( ssl->session_negotiate != NULL && diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f7ce26822fc9..bb48da7f665e 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1008,7 +1008,7 @@ int mbedtls_ssl_write_pre_shared_key_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - +#if defined(MBEDTLS_SSL_COOKIE_C) static int ssl_write_cookie_ext( mbedtls_ssl_context *ssl, unsigned char* buf, unsigned char* end, @@ -1056,6 +1056,7 @@ static int ssl_write_cookie_ext( mbedtls_ssl_context *ssl, return( 0 ); } +#endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_ECDH_C) /* @@ -1665,11 +1666,49 @@ static int ssl_client_hello_write_partial( mbedtls_ssl_context* ssl, total_ext_len += cur_ext_len; buf += cur_ext_len; +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + /* The supported_groups and the key_share extensions are + * REQUIRED for ECDHE ciphersuites. + */ + ret = ssl_write_supported_groups_ext( ssl, buf, end, &cur_ext_len ); + if( ret != 0 ) + return( ret ); + + total_ext_len += cur_ext_len; + buf += cur_ext_len; + + /* The supported_signature_algorithms extension is REQUIRED for + * certificate authenticated ciphersuites. */ + ret = mbedtls_ssl_write_signature_algorithms_ext( ssl, buf, end, &cur_ext_len ); + if( ret != 0 ) + return( ret ); + + total_ext_len += cur_ext_len; + buf += cur_ext_len; + + /* We need to send the key shares under three conditions: + * 1 ) A certificate-based ciphersuite is being offered. In this case + * supported_groups and supported_signature extensions have been successfully added. + * 2 ) A PSK-based ciphersuite with ECDHE is offered. In this case the + * psk_key_exchange_modes has been added as the last extension. + * 3 ) Or, in case all ciphers are supported ( which includes #1 and #2 from above ) + */ + + ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len ); + if( ret != 0 ) + return( ret ); + + total_ext_len += cur_ext_len; + buf += cur_ext_len; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + +#if defined(MBEDTLS_SSL_COOKIE_C) /* For TLS / DTLS 1.3 we need to support the use of cookies * ( if the server provided them ) */ ssl_write_cookie_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; +#endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_SSL_ALPN) ssl_write_alpn_ext( ssl, buf, end, &cur_ext_len ); @@ -4020,6 +4059,7 @@ int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; break; #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ + /* * Injection of dummy-CCS's for middlebox compatibility */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 005fba898150..cac3accc1e7d 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -4121,7 +4121,6 @@ int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) #else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); #endif - break; #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) From 751a133749b0e6029593648eedf6203b39415b67 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 19 Aug 2021 14:58:10 +0800 Subject: [PATCH 10/17] fix build fail without server name Change-Id: I8fe177515d462f6b70e1c824ea75ffc4b5987a68 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index cac3accc1e7d..45057af8a2e0 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3086,10 +3086,8 @@ static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, size_t* olen ) { - size_t enc_ext_len; - unsigned char *p, *len; - + unsigned char *p, *len; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) || \ defined(MBEDTLS_SSL_ALPN) || \ defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) || \ @@ -3097,19 +3095,14 @@ static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, int ret; size_t n; unsigned char *end; + end = buf + buflen; #else ((void) ssl); ((void) buflen); -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION || - MBEDTLS_SSL_ALPN || - MBEDTLS_SSL_MAX_FRAGMENT_LENGTH || - MBEDTLS_ZERO_RTT */ - +#endif /* If all extensions are disabled then olen is 0. */ *olen = 0; - - p = buf; /* From a5618026b9365961ce2b9be920c7d996109f7428 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 19 Aug 2021 15:09:30 +0800 Subject: [PATCH 11/17] move position of some extensions Move support groups, signature algorithm and key share up. To make consistent with `development` Change-Id: I44583b08d70e86a4af51c5f486c0f3617fc970c2 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index bb48da7f665e..9a3675870b0b 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1762,42 +1762,6 @@ static int ssl_client_hello_write_partial( mbedtls_ssl_context* ssl, buf += cur_ext_len; #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - /* The supported_groups and the key_share extensions are - * REQUIRED for ECDHE ciphersuites. - */ - ret = ssl_write_supported_groups_ext( ssl, buf, end, &cur_ext_len ); - if( ret != 0 ) - return( ret ); - - total_ext_len += cur_ext_len; - buf += cur_ext_len; - - /* The supported_signature_algorithms extension is REQUIRED for - * certificate authenticated ciphersuites. */ - ret = mbedtls_ssl_write_signature_algorithms_ext( ssl, buf, end, &cur_ext_len ); - if( ret != 0 ) - return( ret ); - - total_ext_len += cur_ext_len; - buf += cur_ext_len; - - /* We need to send the key shares under three conditions: - * 1 ) A certificate-based ciphersuite is being offered. In this case - * supported_groups and supported_signature extensions have been successfully added. - * 2 ) A PSK-based ciphersuite with ECDHE is offered. In this case the - * psk_key_exchange_modes has been added as the last extension. - * 3 ) Or, in case all ciphers are supported ( which includes #1 and #2 from above ) - */ - - ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len ); - if( ret != 0 ) - return( ret ); - - total_ext_len += cur_ext_len; - buf += cur_ext_len; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) { size_t bytes_written; From f01299b880dbc3f1fdb3001b15386184955aac8f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 17:09:41 +0800 Subject: [PATCH 12/17] move key_exchange out of some psk_enable Change-Id: Ib002ea7cc783a649d44a26e9ff56e6dbd5280e73 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6b75c8e10561..e5d6754a1fc9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4405,15 +4405,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/* mbedtls_ssl_conf_tls13_key_exchange( ) allows to set the key exchange mode. */ -int mbedtls_ssl_conf_tls13_key_exchange( mbedtls_ssl_config* conf, - const int key_exchange_mode ) -{ - conf->key_exchange_modes = key_exchange_mode; - return 0; -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + void mbedtls_ssl_remove_hs_psk( mbedtls_ssl_context* ssl ) @@ -4509,6 +4501,16 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/* mbedtls_ssl_conf_tls13_key_exchange( ) allows to set the key exchange mode. */ +int mbedtls_ssl_conf_tls13_key_exchange( mbedtls_ssl_config* conf, + const int key_exchange_mode ) +{ + conf->key_exchange_modes = key_exchange_mode; + return 0; +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, const unsigned char *dhm_P, size_t P_len, From 25c1b4fb9b212ff8601c05061a727c27af026e70 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 17:15:22 +0800 Subject: [PATCH 13/17] fix test fail when all psk disabled Change-Id: Ic028e292504cff6f3621288bfd0043b18556ea77 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.h | 2 +- tests/suites/test_suite_ssl.function | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 44b3ee1cdbb7..1942e02f5b38 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -652,10 +652,10 @@ int mbedtls_ssl_tls1_3_calc_finished( mbedtls_ssl_context* ssl, size_t *actual_len, int from ); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0 #define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1 +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /** * \brief Calculate a TLS 1.3 PSK binder. * diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 426f6f0e191a..efb1622c2a05 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3916,7 +3916,7 @@ void ssl_tls1_3_derive_resumption_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ void ssl_tls1_3_create_psk_binder( int hash_alg, data_t *psk, int psk_type, From a2e457b74fe6314b9e940813883f72159503313b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 17:15:44 +0800 Subject: [PATCH 14/17] fix fail without have_time Change-Id: I81e378d43a4a52aaa8d3c7bd7712b52b8249da01 CustomizedGitHooks: yes --- programs/ssl/ssl_test_lib.h | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index f9e031b587c3..27d1fd1ca1d9 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -24,6 +24,7 @@ #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" +#include "mbedtls/platform_time.h" #else #include #include From 23ca050cb89ce67b40ab39291bab9c3fa3bdb299 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 17:30:35 +0800 Subject: [PATCH 15/17] fix unused variable warning Change-Id: I3c4bf28f23d596edb2d435174888b71254961bd7 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 45057af8a2e0..a4f363861ae5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3351,7 +3351,7 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, int ret; unsigned char *p = buf; unsigned char *end = buf + buflen; - unsigned char *ext_len_byte; + size_t ext_length; size_t total_ext_len = 0; unsigned char *extension_start; @@ -3421,7 +3421,7 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, * } Cookie; * */ - + unsigned char *ext_len_byte; /* Write extension header */ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE >> 0 ) & 0xFF ); From 903699919be2ef9a931a38b7181445ae129647e0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 19:01:06 +0800 Subject: [PATCH 16/17] fix issue without psk Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 5 +++-- library/ssl_tls13_keys.c | 11 ++++++++--- library/ssl_tls13_server.c | 3 ++- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9a3675870b0b..be1c6e8684f2 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -341,9 +341,10 @@ static int ssl_write_early_data_coordinate( mbedtls_ssl_context* ssl ) static int ssl_write_early_data_postprocess( mbedtls_ssl_context* ssl ) { +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* Clear PSK we've used for the 0-RTT. */ mbedtls_ssl_remove_hs_psk( ssl ); - +#endif mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); return ( 0 ); } @@ -2466,7 +2467,7 @@ static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_fetch_handshake_msg( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, &buf, &buflen ) ); - + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) ); /* Process the message contents */ MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_parse( ssl, buf, buflen ) ); diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index b19504c2f631..100c39b7d94f 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1254,11 +1254,16 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early_data( return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; - + const unsigned char *input = NULL; + size_t input_len = 0; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + input = ssl->handshake->psk; + input_len = ssl->handshake->psk_len; +#endif ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, /* Old secret */ - ssl->handshake->psk, - ssl->handshake->psk_len, + input, + input_len, ssl->handshake->tls1_3_master_secrets.early ); if( ret != 0 ) { diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index a4f363861ae5..92e04f53a9d5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2733,6 +2733,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, return( ret ); #endif /* MBEDTLS_ZERO_RTT */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* If we've settled on a PSK-based exchange, parse PSK identity ext */ if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) { @@ -2746,7 +2747,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, return( ret ); } } - +#endif #if defined(MBEDTLS_SSL_COOKIE_C) /* If we failed to see a cookie extension, and we required it through the * configuration settings ( rr_config ), then we need to send a HRR msg. From 29604d577695183f6a729e38991ac58b567f790e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 4 Sep 2021 19:38:08 +0800 Subject: [PATCH 17/17] fix warnings without psk Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 92e04f53a9d5..793823f8d518 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2262,13 +2262,15 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, int ret; size_t i, j; size_t comp_len, sess_len; - size_t ciph_len, ext_len, ext_len_psk_ext = 0; + size_t ciph_len, ext_len; unsigned char *orig_buf, *end = buf + buflen; unsigned char *ciph_offset; unsigned char *p = NULL; unsigned char *ext = NULL; unsigned char *ext_psk_ptr = NULL; - +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + size_t ext_len_psk_ext = 0; +#endif const int* ciphersuites; const mbedtls_ssl_ciphersuite_t* ciphersuite_info;