lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Remove TLS 1.2 Exporter if we don't have randbytes

Browse Source 
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.

Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
This commit is contained in:
Max Fillinger
2024-10-23 18:35:09 +02:00
parent c9f2c9adba
commit 281fb79116
4 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/ssl.h
View File

@ -5407,11 +5407,13 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
* *
* \return 0 on success. An SSL specific error on failure. * \return 0 on success. An SSL specific error on failure.
*/ */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2)
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
uint8_t *out, const size_t key_len, uint8_t *out, const size_t key_len,
const char *label, const size_t label_len, const char *label, const size_t label_len,
const unsigned char *context, const size_t context_len, const unsigned char *context, const size_t context_len,
const int use_context); const int use_context);
#endif
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

9
library/ssl_tls.c
View File

@ -8930,6 +8930,9 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
const mbedtls_md_type_t hash_alg, const mbedtls_md_type_t hash_alg,
@ -8982,7 +8985,7 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s
mbedtls_free(prf_input); mbedtls_free(prf_input);
return ret; return ret;
} }
#endif #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
@ -9010,7 +9013,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
(const unsigned char *) label, label_len, (const unsigned char *) label, label_len,
context, context_len, out, key_len); context, context_len, out, key_len);
} }
#endif #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
uint8_t *out, const size_t key_len, uint8_t *out, const size_t key_len,
@ -9049,4 +9052,6 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
} }
} }
#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) */
#endif /* MBEDTLS_SSL_TLS_C */ #endif /* MBEDTLS_SSL_TLS_C */

12
programs/ssl/ssl_client2.c
View File

@ -336,7 +336,11 @@ int main(void)
" in the form of base64 code (serialize option\n" \ " in the form of base64 code (serialize option\n" \
" must be set)\n" \ " must be set)\n" \
" default: \"\" (do nothing)\n" \ " default: \"\" (do nothing)\n" \
" option: a file path\n" " option: a file path\n" \
" exp_label=%%s Label to input into TLS-Exporter\n" \
" default: None (don't try to export a key)\n" \
" exp_len=%%d Length of key to extract from TLS-Exporter \n" \
" default: 20\n"
#else #else
#define USAGE_SERIALIZATION "" #define USAGE_SERIALIZATION ""
#endif #endif
@ -391,10 +395,6 @@ int main(void)
" read_timeout=%%d default: 0 ms (no timeout)\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \
" max_resend=%%d default: 0 (no resend on timeout)\n" \ " max_resend=%%d default: 0 (no resend on timeout)\n" \
" skip_close_notify=%%d default: 0 (send close_notify)\n" \ " skip_close_notify=%%d default: 0 (send close_notify)\n" \
" exp_label=%%s Label to input into TLS-Exporter\n" \
" default: None (don't try to export a key)\n" \
" exp_len=%%d Length of key to extract from TLS-Exporter \n" \
" default: 20\n" \
"\n" \ "\n" \
USAGE_DTLS \ USAGE_DTLS \
USAGE_CID \ USAGE_CID \
@ -2499,6 +2499,7 @@ usage:
} }
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if (opt.exp_label != NULL && opt.exp_len > 0) { if (opt.exp_label != NULL && opt.exp_len > 0) {
unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int));
if (exported_key == NULL) { if (exported_key == NULL) {
@ -2521,6 +2522,7 @@ usage:
mbedtls_printf("\n\n"); mbedtls_printf("\n\n");
fflush(stdout); fflush(stdout);
} }
#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) */
/* /*
* 6. Write the GET request * 6. Write the GET request

12
programs/ssl/ssl_server2.c
View File

@ -471,7 +471,11 @@ int main(void)
" in the form of base64 code (serialize option\n" \ " in the form of base64 code (serialize option\n" \
" must be set)\n" \ " must be set)\n" \
" default: \"\" (do nothing)\n" \ " default: \"\" (do nothing)\n" \
" option: a file path\n" " option: a file path\n" \
" exp_label=%%s Label to input into TLS-Exporter\n" \
" default: None (don't try to export a key)\n" \
" exp_len=%%d Length of key to extract from TLS-Exporter \n" \
" default: 20\n"
#else #else
#define USAGE_SERIALIZATION "" #define USAGE_SERIALIZATION ""
#endif #endif
@ -519,10 +523,6 @@ int main(void)
" event=%%d default: 0 (loop)\n" \ " event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \
" exp_label=%%s Label to input into TLS-Exporter\n" \
" default: None (don't try to export a key)\n" \
" exp_len=%%d Length of key to extract from TLS-Exporter \n" \
" default: 20\n" \
"\n" \ "\n" \
USAGE_DTLS \ USAGE_DTLS \
USAGE_SRTP \ USAGE_SRTP \
@ -3619,6 +3619,7 @@ handshake:
mbedtls_printf("\n"); mbedtls_printf("\n");
} }
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if (opt.exp_label != NULL && opt.exp_len > 0) { if (opt.exp_label != NULL && opt.exp_len > 0) {
unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int));
if (exported_key == NULL) { if (exported_key == NULL) {
@ -3641,6 +3642,7 @@ handshake:
mbedtls_printf("\n\n"); mbedtls_printf("\n\n");
fflush(stdout); fflush(stdout);
} }
#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALZIATION) */
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)
else if (opt.use_srtp != 0) { else if (opt.use_srtp != 0) {