lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Enforce maximum size of early data when rejected

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2024-02-08 15:48:29 +01:00
parent 2160bfe4e2
commit 919e596c05
3 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/ssl_msg.c
View File

@ -4005,7 +4005,11 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) { MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: deprotect and discard app data records.")); 3, ("EarlyData: deprotect and discard app data records."));
/* TODO: Add max_early_data_size check here, see issue 6347 */
ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
if (ret != 0) {
return ret;
}
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} }
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */

9
tests/suites/test_suite_ssl.data
View File

@ -3318,3 +3318,12 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3
TLS 1.3 srv, max early data size, max=97 TLS 1.3 srv, max early data size, max=97
tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97 tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97
TLS 1.3 srv, max early data size, server rejects, default
tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1
TLS 1.3 srv, max early data size, server rejects, max=3 (very small)
tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3
TLS 1.3 srv, max early data size, server rejects, max=97
tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97

45
tests/suites/test_suite_ssl.function
View File

@ -4466,6 +4466,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
char pattern[128]; char pattern[128];
unsigned char buf_write[64]; unsigned char buf_write[64];
size_t early_data_len = sizeof(buf_write); size_t early_data_len = sizeof(buf_write);
uint32_t expended_early_data_len = 0;
uint32_t written_early_data_size = 0; uint32_t written_early_data_size = 0;
int write_early_data_flag = 1; int write_early_data_flag = 1;
uint32_t max_early_data_size; uint32_t max_early_data_size;
@ -4503,6 +4504,14 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
case TEST_EARLY_DATA_ACCEPTED: case TEST_EARLY_DATA_ACCEPTED:
break; break;
case TEST_EARLY_DATA_SERVER_REJECTS:
server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
ret = mbedtls_snprintf(pattern, sizeof(pattern),
"EarlyData: deprotect and discard app data records.");
TEST_ASSERT(ret < (int) sizeof(pattern));
mbedtls_debug_set_threshold(3);
break;
default: default:
TEST_FAIL("Unknown scenario."); TEST_FAIL("Unknown scenario.");
} }
@ -4552,7 +4561,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
uint32_t remaining = max_early_data_size - uint32_t remaining = max_early_data_size -
server_ep.ssl.early_data_count; server_ep.ssl.early_data_count;
/* Reach maximum early data exactly */ /* In case of accepted early data, reach max_early_data_size exactly. */
if (early_data_len >= remaining) { if (early_data_len >= remaining) {
early_data_len = remaining; early_data_len = remaining;
write_early_data_flag = 0; write_early_data_flag = 0;
@ -4585,13 +4594,43 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg)
written_early_data_size); written_early_data_size);
} }
break; break;
case TEST_EARLY_DATA_SERVER_REJECTS:
ret = mbedtls_ssl_handshake(&(server_ep.ssl));
/*
* Can be the case if max_early_data_size is smaller then the
* smallest inner content or protected record.
*/
if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
/* Beyond 64 for max_early_data_size it is suspicious */
TEST_ASSERT(max_early_data_size < 64);
goto exit;
}
TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);
TEST_EQUAL(server_pattern.counter, 1);
server_pattern.counter = 0;
if (expended_early_data_len == 0) {
expended_early_data_len = server_ep.ssl.early_data_count;
}
remaining = max_early_data_size - server_ep.ssl.early_data_count;
if (expended_early_data_len > remaining) {
write_early_data_flag = 0;
}
break;
} }
TEST_ASSERT(server_ep.ssl.early_data_count <= max_early_data_size); TEST_ASSERT(server_ep.ssl.early_data_count <= max_early_data_size);
} }
mbedtls_debug_set_threshold(3); mbedtls_debug_set_threshold(3);
ret = write_early_data(&(client_ep.ssl), buf_write, 1);
TEST_EQUAL(ret, 1); early_data_len = (scenario == TEST_EARLY_DATA_ACCEPTED) ?
1 : sizeof(buf_write);
ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len);
TEST_EQUAL(ret, early_data_len);
ret = mbedtls_snprintf(pattern, sizeof(pattern), ret = mbedtls_snprintf(pattern, sizeof(pattern),
"EarlyData: Too many early data received"); "EarlyData: Too many early data received");